thinking about this off the cuff, without experience repelling DDoS, but some quick thoughts: - depends on the style/targetting of DDoS attack - hosted Supabase has no API call pricing, so hypothetically it would be Supabase that takes the hit - could hook Supabase up to a CDN like Cloudflare, same as usual?