2 points
Usually something like this would be enforced once in a centralized location (in the data layer / domain model), rather than at every call site.
True. Although not every endpoint is the same, nor is every website or service.
This gets tricky because in many jurisdictions, you need to ensure that you don’t just delete the user, but also any data associated with the user
GDPR specifically mentions user identifiable data. I don’t know about others.