Oh my bad! I was talking about WhatsApp.

The Messenger PIN is rate limited by an HSM, you merely enter it through the web interface.

Of course, the HSM could be backdoored or the client could exfil the secret but the latter would be easy to discover.

Harder to do any better here without making the user memorize a master password, which tends to fail miserably in real life.