The limit for unauthenticated users is by IP address. I could imagine a smallish business that has a consistent on-ramp IP for their users that could breach the limit not on any single user but in aggregate.

I do sympathize with Docker though: Storage and bandwidth at that scale isn’t cheap and they need to monetize somehow.