Most applications end up disclosing that anyways either by a success message in the password reset flow, or a "email already in use" message in the registration flow. Obscuring who has an account is a major commitment for the design of any unauthenticated api, one that's both difficult and often user-hostile. And if you trip up once you have a worst-of-both-worlds where you've both made your website worse for your users and attackers can still easily check if someone is a user.

Wordpress takes almost the opposite approach: They consider the fact that you are an author on a page public information. There is even the /wp-json/wp/v2/users api to enumerate them At least they don't show email addresses, but you can also login with the username. ([1],[2] for examples in the wild).

Of course as a wordpress admin you can decide differently: extensibility is one of the core pillars of wordpress. Security arguably is placed behind extensibility and user-friendliness.

1: https://quebec.ubisoft.com/en/wp-json/wp/v2/users

2: https://www.rollingstone.com/wp-json/wp/v2/users

While I agree it's not really security through obscurity because when combined with other strategies (like mitigating timing attacks and rate limiting) it does expose less information to the attacker.

However, I stand that it does depend on the application. For example: Facebook does not use generic error messages. I presume because there are other trivial ways to find out if a user has an account so mitigating enumeration through the login form is not actually adding extra security.

all it has to say is "if you have an account with us, check your email address you just used"