Because you can have a rate limit on attempts against one user. You can't have an effective rate limit on attempts against all users in aggregate. Or rather, you could have one, but the consequence is that a brute-force attack would cause all legitimate users to also be blocked by the rate limit.

Obviously you just rate-limit per client IP.

A rate limit strategy should limit the rate of the attacker not the victim.

Rate-limiting per email address is just a DoS vector, anyone can prevent a legitimate user from logging in.