Let's assume that I downloaded an iOS app. The app is integrated with ziti sdk.
However, the app on my iPhone hasn't received an identity from a controller, yet.
Non-technical people will just delete the app.
This is it? Or, can one client identity be re-used by many app users? How is the certificate rotated?
Although I don't personally agree with this opinion, let's assume that it's true. Even if true, this issue doesn't seem to me to be a problem for OpenZiti alone but one for all overlay technology in general. The users still need to authenticate/configure the overlay in some way. I suppose it's possible though, sure.
I think this probably needs a bit more clarification. I'm not sure I'm going to answer it quite right. I assume you mean multiple humans on a shared computer. If that's the case, tunnelers are "L3 to overlay" technology. They operate by instructing the OS to send packets matching configured rules to a TUN device that the tunneler creates (edge-routers use tproxy). That means that if you start a tunneler with a given identity, any user on that machine will have access to the TUN. So "yes" - in a way.
If you mean can one identity be used by multiple 'apps', that's a categorical yes. One identity can have "thousands" of services configured to it. I've seen some users with 4000 and that seems like "a lot" to me. 
I meant multiple iPhones used by different people.
All of them installed a ziti-aware iOS app.
It seems zrok forces each user to get an identity from a login session.
I guess ziti identity should really be used for a login session for each user, and non-login app traffic can be just plain HTTPS or plain TLS.
Each phone will require a new/different identity. Android, iOS, macOS have used keychains for a long time and the identity is not portable/sharable. Windows will receive this capability soon and it should be available for linux as well now but you optionally enable it. Linux is always a bit of a strange beast with the multitudes of ways it can be configured.
zrok forces you to "enable" an environment, getting access to produce shares and to access private shares, but if the zrok user shares something publicly, those users do not require an identity as they are not sending traffic over the overlay until it hits the public zrok proxy (the share-er needs zrok/identity in this case).
If an app truly doesn't need authentication and can be truly public and doesn't require any authentication whatsoever, then yeah OpenZiti certainly isn't relevant imo. zrok might still be useful as it would allow the server to be hosted in private address space (and from anywhere, not beholden to specific firewall/ip configurations).