An app itself has a single OAuth client id. So rather than per user, it would seem to be per app.
This would kill third party apps used by a lot of users, but individually created tools that developers created using their own client IDs would be fine, so like if I spun up a bot on a user account and called into reddit, I'd be fine because I probably wouldn't hit those limits. That's what they mean by "The vast majority of third-party apps and bots fall into the free usage category and should not see any disruptions" - all these little individually run bots and such.
Bots good, third party apps that allow people to actually browse your website in any meaningful capacity bad, I guess?