I wonder if https://labs.play-with-docker.com/ can be used for a simple brute force DDOS attack or other similar exploits.
There are a lot of web sites out there that cannot and are not designed to support a lot of users. Maybe they are not intended to.
It would be trivial to launch an heavy traffic generator from a play-with-docker instance, without being tracked.

Are there any measure in place to avoid that?

This is entirely possible. Using multiple container instances, such as using iperf, can completely make a small website temporarily serviceable, or even service downtime.

In think the question 4 years ago was about whether Play with Docker does anything to avoid it, like limiting the number of containers or monitoring and limiting the network traffic. I don’t know the answer, but if anyone wants to find it out, I think this is the place where it could be asked: