Maybe I'm missing something, but this seem like something that would only be useful in situations where you don't have access to anything "closer" to the network requests (router, firewall, webserver) that you can tweak to handle these types of things.
It allows whitelisting... based on arbitrary properties of the request.
So if your user authentication code was also a Rack middleware, and you inserted Rack::Attack after it in the middleware stack, you could rate limit based on user account as well as IP address. That would be harder to do at the firewall or web server level.
This isn't for preventing DOS attacks (for which you'd want to completely avoid hitting application code), it's just for preventing unauthorised or excessive usage.
Think of it as defense-in-depth. This allows higher-level, but more sophisticated rules, while your lower layers provide simpler but lower overhead filtering. Hopefully abusive requests never reach this thanks to your router / firewall / web server rules, but if they do, this will help keep things in check.
Most times your firewall and router aren't doing layer 7/application level inspection/actioning. If Rack::Attack can handle it efficiently, its the easy way to go.
So it's something that's good for Heroku apps?