I agree, and I also am familiar with how WP Engine's 'GES' (global edge security) works. obr.uk points to two IP addresses held in the name of WP Engine, but they're actually BYOIP with Cloudflare. Cloudflare act as a caching layer, DDOS mitigation and WAF.
Note that GES works a bit different to traditional Cloudflare implementations, HTML requests are basically passed through to the WP Engine NGINX reverse proxy server that's in front of the WordPress site (as opposed to being heavily cached with Cloudflare). Static assets, like a PDF - would indeed be cached with GES.
Either that number was wrong like you say OR (and I am unfamiliar with Bluesky) the URL is loaded via Bluesky's browser (like X) and therefore Bluesky's own server IP was used (instead of the user's).
Edit: Or (and more likely) cached/copies of the original.
I find this an implausibly low number. It was all over Bluesky, X etc., not to mention journo Signal and WhatsApp groups.