It can be useful in either case. It depends on what the attacker is trying to achieve. If they just want to get in as any user, then your hypothetical system with a billion regular users is going to be even easier, because if even a fraction of those can be enumerated, it's likely that at least some will be accessible using a password-spraying attack using one or two common passwords, or by cross-referencing with passwords disclosed in a breach.