I don’t want to allow 3 tokens (although I do it in practice sometimes) because I want to be sure that the tokens not needed anymore get revoked.
Let’s take the example of a TOTP saved on a smartphone: the user gives his smartphone to a friend or to his child without cleaning it before, the totp token ends up being with someone who should not have it. As my users need to use the services protected by privacyIDEA, they will eventually come to me to have their totp token removed so they can enroll one on their new smartphone but this is not the preferred solution.
Also an important thing is that deleting does not imply revoking: I think that in the case of a totp token, deleting it implies it is revoked but this is definitely not the case with a certificate as deleting it does not trigger the revoke action. So giving the users the right to delete their token would not help me, as e.g. in the case of a certificate, they would rightly be denied to create a new one by openssl (email address already used).
In fact, in an ideal configuration, I would like to be able to say that user A is allowed to have one valid certificate and one validTOTP token while user B is allowed to have one valid certificate, a valid totp and a valid printed list of otps.