To avoid any additional unwanted comments or questions, I am not using wordpress. I am not currently using docker. I do not intend to switch to either.

Well, you can save most of the Memory's usage by blocking those requests on the .htaccess (so you return nothing to them).
Example:
<IfModule mod_rewrite.c>

RewriteEngine On

RewriteCond %{REQUEST_URI} ^/wp- [NC]

RewriteRule .* - [F,L]

</IfModule>

Neither Railway, nor the user is running an Apache web server.

You'll have to use a WAF like Cloudflare or Fastly to block bad traffic before it hits your app. If you want more control, you can run a self-hosted reverse proxy on Railway to filter requests. Keep in mind, you’ll still be charged for CPU, RAM, and egress on the proxy instance, but it won’t strain your main app’s resources. Personally, I’d recommend going with a third-party option.

Oh, in that case the user could try to block certain User-Agents or block IPs (most of them are probably public proxies that are easily detected as Proxies), but anyways there isn't much you can do, the best option by far is obviously using a WAF like Cloudflare like @opqr said, but I believe if that was an option you would've already done it. Please let me know @jacebot if using a WAF is possible for you or not.

Thanks everyone so far for the suggestions. I was curious if there was a config setting at the nix pack or railpack level but some searching around turns up nothing related at the moment. I am still thinking of doing some further app level updates/hardening, but not sure if that helps in this case since the resource is still served / network utilized. Thanks!