Attackers could already do that just by registering new accounts. If the attacker knows 100,000 email addresses, they can register 100,000 accounts, and Discourse will send each one of them an activation email, which each user could report as spam.
Sending “can’t reset password, your account doesn’t exist” emails to email addresses of accounts that don’t exist doesn’t make that attack any easier or any harder.
This attack is not an issue for most sites, but, if you’re worried about it, you should use the Discourse hCaptcha plugin, which increases the cost to the attacker. (Meta doesn’t use it; most forums hosted by Discourse don’t use it.)
I think that if Discourse accepts my suggestion to begin sending “can’t reset password, your account doesn’t exist” emails to email addresses of accounts that don’t exist, it would make sense for the hCaptcha plugin to work on the password reset form as well as the sign up form. (I still wouldn’t need/use hCaptcha myself.)