IMO the fail here is not having a true soft delete policy with a delete endpoint available

You need to protect customers from themselves. If you offer a true deletion endpoint/service you need to offer them a way to stop them from being absolute idiots when they inevitably cause a sev 0 for themselves.