if only there was a permissionless social graph with verifications and connected addresses with historical onchain activity...

None of the verifications/permissionless social graph/historical chain activity stuff stop sybil attacks, they just make it more expensive and slightly less likely.
If facebook and every web2 platform which have mountains of device metrics can't stop sybil attacks, then web3 platforms which don't even have access to those same metrics have even less chance of doing so.

In any case, at a certain scale, "sybil attacks" really just ends up being real users that are so low quality/effort that no one wants around. The world has 8 billion people in it.