1. Few sites lock accounts after failed attempts. Otherwise, an attacker could still try, until the account is locked, and then the real user would be unable to get in.

2. Classic “aaaaaaaa, aaaaaaab” style brute force doesn’t happen online (by trying against a site live). Dictionary attacks may sometimes happen, but usually site A gets hacked, leaking hashed forms of passwords. You can’t read the password, but you can test whether a password matches the hash.

Bruteforcing the hashes, i.e. trying passwords until one fits the hash, is being done – but since the attacker has the entire database, they can do it “at home” without talking to the site, so no limit applies (except the time/computing capacity needed to calculate the hashes for testing).

Once the attacker has bruteforced a password, they may then possibly use it to log in to the site, but most importantly they will try the same username-password combo everywhere else. They only need one attempt per account! (They may try variants like adding different numbers, but it’s generally a small number of attempts.)

That’s why it’s so important to have completely different passwords for every site.