Worst case usage determines what information is subject to GDPR, but actual business use-case is what determines what data you are allowed to collect.
IP addresses are subject to GDPR, but that just means that you have to have either a legitimate business need for keeping them or to have the user's consent to keep them and you need to disclose to the user that you are keeping them and for how long.
You probably do have a legitimate need to keep IP address logs for some period of time to allow troubleshooting and possibly for a longer period of time to allow for fraud detection. As long as you are disclosing to the user that you are collecting that information and are abiding by the retention period that you are disclosing to users, then you will be allowed to collect logs of IP addresses.
IP addresses are subject to GDPR, but that just means that you have to have either a legitimate business need for keeping them or to have the user's consent to keep them and you need to disclose to the user that you are keeping them and for how long.
You probably do have a legitimate need to keep IP address logs for some period of time to allow troubleshooting and possibly for a longer period of time to allow for fraud detection. As long as you are disclosing to the user that you are collecting that information and are abiding by the retention period that you are disclosing to users, then you will be allowed to collect logs of IP addresses.