Start with the threat model
The right settings depend on what you are protecting. A recovery code, a contractor credential, and an internal reminder do not need the same level of restriction. The shorter the useful life of the secret, the stronger the default should be.
If the secret is intended for a single recipient and a single action, one read is usually the cleanest choice. If the recipient may need to open the link during setup, a small read limit can avoid support headaches.
Pick the shortest useful window
Expiration and read limits should work together. A link that can be opened ten times but expires in an hour may still be acceptable, while a link with a long duration but only one read may also be reasonable. The point is to align the settings with the real workflow.
As a rule, short wins over long. The safest secret is the one that disappears as soon as the job is done.