Yes, but how often does that really happen? I've known of this possibility since I was a teen, and sometimes it happened on fairly popular sites back when unlimited bandwidth was very expensive, but it was rare back then and I haven't heard of this actually happening to any site in the last decade. I'm sure you can find examples online, but it's way more common to get a proper DDoS than to get this kind of attack.
You'd think it'd be more common given how many sites are on EC2 and how expensive Amazon's egress is, but nonetheless, I never hear billing horror stories from that vector.
At my last job, we would get casually DDoSeD from time to time. One of the ones I remember was a wordpress pingback reflection to a large file. Not too hard to handle (pingback is dumb and needs to die in a fire, but at least wordpress sets user-agent), but used a ton of bandwidth until sorted it out.
This was a common prank on mobile browsers using 30+GB favicon.ico files. I am not even sure that was ever truly fixed in all the browsers, might be a good thing to test. The browsers would continue to download the favicon in the background even if you left the page. People that were roaming would get their cellphone accounts suspended. Providers reacted by putting roaming limits in place, but it still caused grief for people.
CDNs are the only sites that have ever saturated my broadband or fiber connections. Accessing 'mere mortal' web sites is way slower. Block out the whole day on your calendar.