It’s per service and it goes from being able to overwhelm an onion to having to exert more computing usage than the server does serving you. It helps.

Correct. PoW is also per request, so identity (new or old) is irrelevant.

right, it's not per client; if it was per client you could just ban the abusive clients instead of asking them for pow. anonymity (or freely available new identities) mean that attackers can use a sybil attack to deny service via capacity overload