Something I can’t understand about ERC-4337

Hi!

I've been reading a lot about ERC-4337 and how it works at the high level view (at least this point: https://beincrypto.com/learn/erc-4337/).

I understand that with this framework, the end-user doesn't need an EOA anymore. Following the fact that no more EOA manipulation is needed on the end-user side, I have several questions:

1. How is the userOperation sender identified? If it's not an Ethereum Public Key (related to an EOA), how is this ide tity generated? I understand it could be based on your phone but can you elaborate a little bit?

2. Since sending UserOperation doesn't require gas on your own EOA, how does Ethereum network prevent from spamming tx? What could prevent a user from sending a lot of fake UserOperations?

Thanks!