There is a middle ground between “customer with a domain” and “public suffix”. For example for students at a university that have their own machines - “.device..edu”. That could be hundreds/thousands of different “domains” - but since you’re tracking it back to the same top level - it essentially lumps all of those students/users into a single rate limiting item.
I am definitely in agreement with the rate limit as applied to a particular single domain entry - i.e. re-issuances.
It sounded in another topic like you were working on a rate limit request form - will that address this?