From https://gdpr-info.eu/art-12-gdpr/:
"Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the controller may either: "
The quoted bit is about one person, not multiple so not directly applicable. I assume if someone organizes a coordinated flood of requests from multiple persons you can still argue that it is excessive.
I agree that the amount of requests is very uncertain. Within my company I'm planning to make one request (data regarding me as an employee). This to see if they're prepared.