Is it possible to only have the middleware enabled for specific endpoints / controllers

[joedeveloper]

We are adding rackattack IP based throttling and login name based allow2ban.
At this point we only need this on the login and otp related endpoints to minimize bruteforce attacks, most other endpoints require the user to be authenticated and we do not require in-app rate-limiting for those scenarios

It feels like a fair amount of conditional logic have to be added to the safelists and within specific throttle and blocklist matchers to avoid undesirable involvement.

Honestly I am somewhat surprised to see that by design rack-attack is active as middleware for all endpoints, is there a way to change that behavior, for example as a decorator on a controller or in routes definitions to avoid the additional overhead on routes where it is not intended to be used?

All advice appreciated!