The comment module is included in core. That's fine BUT...
Normal users aren't savvy enough to know that by enabling forms, they're exposing their sites to spammers and the likes.
And, even if they are, they might not be aware of the different options to protect themselves. (Like me recently. I didn't know there were plugins in Wordpress that helped against this. Yes, the monkey is slow. Quit your giggling)
Soon, users will encounter the barrage of spam comments and, frankly, that's just not a nice experience to subject users to. They'll get frustrated they aren't getting any real comments and managing tons of spam will become a headache.
Knowing what comes along with comments, is this the UX we want to expose Backdrop users to by default? Shouldn't we provide minimal help given comments are on by default.
I think Backdrop should go the extra mile and enable the Honeypot module by default (users can deactivate them in the config if they so choose).
It'll show the world some thought went behind this instead of letting users fend for themselves, alone.
Backdrop shouldn't be a CMS with just modules slapped together.
Got the idea while thinking through this issue #1168
Recent comments
Thanks, the answer looked useful except that there doesn't seem to be a 'Webform Rules' module in Backdrop. Backdrop 'Rules' therefore doesn't seem to know about submitting webforms. PS...
How to attach a file to a Webform confirmation email
Do you have caching turned on for anonymous users? Can you check access logs and see if you are currently getting consumed by one or more scrapers/bots/AI models?
Database problems
There is a dead link at the bottom of that issue to a step by step guide using Rules but here is the page from the Wayback Machine: https://web.archive.org/web/20200214234910/http://...
How to attach a file to a Webform confirmation email