The idea: A user could choose to allow logins only through their primary (default) address (e.g., aaa@proton.me).
Any login attempts using an alias (e.g., bbb@proton.me) would be automatically rejected, even if the correct password is provided.
This would prevent attackers from trying to brute-force the account even if they know one of the aliases.