Depends on config, but ip or user or user groups are possible

• https://www.mediawiki.org/wiki/Manual:$wgRateLimits
• https://www.mediawiki.org/wiki/API:Ratelimit

Not sure if REST has other ways to limit requests, but the normal rate limit in rest is only used for stashbasehtml

I'm not sure there is much to be investigated here. Useful links have been shared in the comment above (thanks!), and the answer to both questions in the description is "yes", in short.

Here is the relevant bit of production config: https://gerrit.wikimedia.org/r/plugins/gitiles/operations/mediawiki-config/+/c44980b3fcfeb4d2139dac7311e33f599ea0788e/wmf-config/InitialiseSettings.php#7997
Here is the bit that adds the noratelimit right to bots: https://gerrit.wikimedia.org/r/plugins/gitiles/operations/mediawiki-config/+/c44980b3fcfeb4d2139dac7311e33f599ea0788e/wmf-config/InitialiseSettings.php#10763

It turns out I failed to read the second link in my comment above. Bots clearly do *not* have the noratelimit right. They do have apihighlimits though, which can be seen in the list here: https://www.wikidata.org/wiki/Special:ListGroupRights

apihighlimits is used to limit the result size of read actions on the api (per action/request), whereas noratelimit is used to limit/throttle the number of write actions in a time period through api and index/gui. The is no different limits for read actions on index.php depending on user rights.

While sysops/admins are not limit on write actions, they are still limitted on api reads the same ways as bots, but with higher limit as other users.
While bots are no-ratelimited on most wmf wikis, that is not true for wikidata (that is what is linked on the second link)