If the login form is developed by the client itself, should the remediation level for a user enumeration finding be ‘Unavailable’ on the grounds that it makes them their own provider and, as such, they clearly do not have an implemented solution?
It depends, I myself define “Unavailable” when the client can’t do anything to fix that vulnerability. For example:
User enumeration when the client uses a firebase API, the firebase auth responds user doesn’t exist on their login and the client can’t do anything about it (only patch it on the front but on the back it shows the enumeration).
But if the client manages their own authentication API and is only a matter of changing “user not found” to “incorrect user or password” or “we will mail you to the email provided” I treat this as an workaround remediation, you can use official here too.