I want to set a maximum number of password reset requests, such that only one email is sent every 5 minutes, for example
I am afraid, it is not possible out of the box
This feature was added in 4.17.2. The RECOVERY_PASSWORD_EKEYS_LIMIT constant is responsible for the maximum number of attempts that can be made within the RECOVERY_PASSWORD_TTL time. Both these constants are defined in the config.php file, you can change them as you wish.
https://docs.cs-cart.com/latest/history/4172.html#functionality-changes
[*] Users: Password recovery: Multiple improvements to behavior and emails. For example: you can now add Google reCAPTCHA to the password recovery page; the email now reflects for how long the recovery link will work (15 minutes).