Where should anonymity actually live in a blockchain protocol?

Thinking about anonymity as a default assumption rather than a feature sounds reasonable, but once you look at it from a protocol perspective, things get messy fast.

Should anonymity be enforced directly at the protocol level, or does it work better as something that emerges across multiple layers?

At what point does resistance to correlation attacks start conflicting with real-world usability and performance?

Curious how people here think about this from an engineering point of view.