Small update: I tried enabling the “destroy” user permission for authenticated users. However, this will let any user delete any user, which is not the idea.
I removed the destroy permission and tried DELETE localhost:1337/api/users/me, but I get a “Forbidden” error.
I’m guessing I have to create a custom “destroyme” policy. A bit susprising this is not available out of the box.