I just don’t see how the username is an attack vector. The sign-up has email verification and CAPTCHA. Requiring the username to be something sensible seems excessive.
But honestly, I don’t know. Maybe this stops a lot more bot farms than I’d expect.