>>> if the passwords have enough entropy.

Allow me to optimize your statement.

    >>> if False

What does it mean? Users always pick low-entropy passwords?

Almost always. It's gotten better with the rise of password managers that generate random passwords, but otherwise, passwords are usually shared across many websites and usually less than 16 characters.

Not "always". But you should not build your systems based on the assumption that passwords will be strong enough.

No amount of entropy mitigates a successful credential stuffing attack.

No amount of anything mitigates a successful attack; otherwise it wouldn't be successful.

It could be argued that once you use a password more than once its entropy decreases automatically.