If I’m understanding this part correctly, the admin of any particular community can define this as they please with the following settings:
I believe that the defaults are the way they are because user deletion is a destructive process that can cause topics to become unhelpful or even misleading with gaps in the discussion. As the amount of activity on the user increases, so too does the chance of this being a problem. That is certainly the reason I have left them at their defaults.
As @Jagster has pointed out, GDPR is not the get-out-and-delete-everything card you make it out to be. Oftentimes companies are under no obligation to delete various data types and even directly personal information can be kept for a variety of reasons, including (heavily paraphrased) because it’s a bit hard to delete.
In the case of Discourse instances, it is reasonable (and legal under GDPR) to remove personal information from a user (anonymize on the user admin page) and leave all posts intact. The posts themselves may contain personal information or copyrighted material but it is reasonable and legal to put the responsibility of identifying those posts on the user due to the potentially large amount of time and therefore cost of manpower involved in doing so.
The admin for a community can decide whether they are willing to accept the risk of allowing users to delete their own accounts regardless of activity. If they do not allow this, the admin can decide on a case-by-case basis whether to delete an account when requested or to anonymize it. Similarly they can decide case-by-case whether to examine the posts for personal information or leave that to the user.