[fulafel]

These are valid considerations, but not tied to S3 (or uploading).

It's probably a happy problem if you end up worrying about S3 as a very DDoS-able part of your system.

Running up hosting bills is an scenario that can be addressed with various technical means (like a sibling comment explains). Many people seem to judge the risk * probability too small to put a lot of preemptive effort into it. It's basically a question of how much damage would be done until your monitoring catches it. AWS has also been known to "forgive" bills that were caused by malicious attackers in some situations.