So just because I enjoy this kind of thing (looking into laws and trying to understand them…):
GDPR is about roles, not ownership
There’s no property right in personal data under GDPR. The whole regime hangs on three roles:
- Data subject — the person the data is about.
- Controller (Art. 4(7)) — “the natural or legal person … which, alone or jointly with others, determines the purposes and means of the processing of personal data.”
- The rights in Arts. 16 and 17 are exercised by a data subject against a controller. They compel a third party to rectify or erase. They are not self-executing duties that a piece of software must expose.
That’s the key. In your architecture, for a user’s own posts about themselves sitting in their own feed on their own device:
- the user is the data subject, and
- the user is also the only person “determining the purposes and means” of that data.
There is no third party controller to compel. The “right to erasure” is a right to make someone else delete — and there is no someone else. It is satisfied the instant the user can change the file. A UI button is a convenience, not a legal requirement. Omitting it removes zero rights, because the data is a plain-text file the user can edit or delete by any means — editor, sed, git, their file manager. Full practical control is retained; nobody is being denied anything by anyone.