A user can attempt to login with an username/email that does not belong to any user account and if Brute Force attack protection is enabled, an error message will be generated. However, this username/email can then go on to create a new account with that blocked username/email.
Your account has been blocked after multiple consecutive login attempts
This is the expected behavior of the Brute-Force Attack Protection feature. An error message will still appear on the login page indicating that the maximum amount of failed login attempts has been exceeded for a username, however, since no account exists with that username, no block is actually put in place that would prevent a new account from being created with that username.