To impose delays, there must be some way of identifying users individually. But to do so will have privacy implications. PoW is a stateless way of imposing delays without the privacy implications of tracking.
That said, it isn't perfect. I'm on the lookout for cleaner and more efficient ways of doing it.
if you want denial-of-service protection, wouldnt it be better to use a delay-based algorithm, instead of a proof-of-work one?
Proof-of-work is not environmentally friendly, wastes your legitimate users resources, and doesnt stop all DOS types
Just force a delay in time to requests to your site and allow only as many as you can process