The bigger problem here even if you want to maintain your anti regulation stance is that a Google lockout prevents the user from acquiring the data that is rightfully theirs. If a lockout included something like a 90 or 120 day sunset period where you had read only export, even a harsh termination could at least be defensible.
That you should be able to obtain through GDPR in Europe at least, though it might be an issue to prove ownership if you didn’t provide your real name.
What doesn’t work that easily is resetting passwords without account access, especially since more services are switching to magic links instead of passwords (and the issues of managing multiple accounts in a standard browser password manager with things like slack having different sub domains and accounts for different projects)