I guess that is true, but if you store the encryption key in a secret store on Azure or AWS, I wouldn't really worry about that.
Maybe the real question is why use a pepper over encryption?
They have the same downside (as you mentioned) but at least you can change the encryption key without having all the users change passwords. I don't see any advantage in using a pepper over encryption, except maybe implementation complexity.
Pepper, encryption, they both guard against drive-bys, which can happen for sure (missing backups anyone?) but they're not the only thing that can happen.
Like any disaster preparedness situation, make sure your strategy doesn't count on an asset you've already listed as unavailable.