Per the original proposal (T231930), Authority should be responsible for applying rate limits to actions they authorize. The idea is that callers that ask for an action to be authorized should not know or care what factors into that decision - be it group permissions, user blocks, rate limits, etc.
Rate limits would be tested (but not bumped) by "thorough" checks as performed by definitelyCan() (and, in the future, isDefinitelyAllowed). Methods that "authorize" an action would enforce and bump the limit, this would be the authorizwRead() and authorizeWrite() methods (as well as, in t he future, authorizeDo()).
Performing rate limit checks implicitly for all permission checks allows all code to be removed that currently enforces rate limits explicitly, by calling User::pingLimiter or RateLimiter::limit. It also allows error handling for rate limits to be generalized in the API, so that clients are informed avout limit violations in a uniform way.