I did look at the table, and the very first row, credential stuffing, requires that your password be non unique. So your password matters.

yeah I think the point is that, a typical password validation policy wont be able to spot that risk.

although one that cycled passwords regularly would presumably do the trick.

Password cycling studies show that it generally weakens passwords and only increases the likelihood that fallible human beings recycle the same (variations of) passwords across multiple services.

About all this article shows that is the only "complexity" test that matters is that a password shouldn't be in the Top X most used passwords, and X may be as low as 10 (much less the thousands you can easily check with Pwned Passwords) if you are attempting (distributed) password spray detection in your login systems, MFA, etc.

Wonder if anyone has ever written password validation to attempt credential stuffing on a few popular websites and reject the password if it works.

Pwned Passwords is a most common password (hashes) database compiled from years of breach data: http://haveibeenpwned.com/Passwords

Though the takeaway in the article is that you really only need to check Top X and Top X may be as low as 10 assuming other mitigations are in place.