how specific should we get with rate limiting

hey every1, ive been thinking a lot about rate limiting lately as we scale. weve implemented some basic global limits, but im wondering about the best approach for more granular control. should we be rate limiting per user, per api key, per ip address, or even per specific endpoint or resource? what strategies have u found effective, and what are the trade-offs uve encountered with different levels of granularity