It would seem so, yes.

Evidence: xkcd is never wrong. :-P

(Although I have always wondered about that aspect yes… perhaps an attack has to switch between trying random letters and random words, which may limit its effectiveness, and still keep the number of words high? What if we swapped out letters like c0rr3ct? - b/c obviously hackers have never heard of 1337 5p33ch before. Yeah I really have not looked this one up, hence default to the joke answer above. irl I use the FOSS KeePass and a large string of random crap… but that is nowhere near as funny to say as correct horse battery staple:-D

Also, https://www.explainxkcd.com/wiki/index.php/936:_Password_Strength does talk about this - but unless it is in the references, there is not too much depth there, e.g. a dictionary may have a certain number of words, but I doubt that they are all used equally - some werds oft encroaches upon my visage with verily greater frequency of occurrence by comparison to alterity, so while in the sense of spherical chickens sliding on a frictionless surface a dictionary attack “may not be viable”, in practice I highly suspect that a way could be found to find, if not one specific password, then at least somebody’s password within a large bank of them.)

Easy explanation: there are lots of words in the dictionary and the combination of four words makes it that it still takes a long time.

can’t be arsed for the long explanation, read the original diceware documentation

you need six words now though: https://arstechnica.com/information-technology/2014/03/diceware-passwords-now-need-six-random-words-to-thwart-hackers/