In theory, yes. In practice it seems this might be, once again, relatively easy to avoid or restrict. Simply put up identification barriers that are so high none but the most determined pursue this.
"Oh, so you want [a copy of your data/to delete all your data]? Please prove you are who you claim to be, first."
This is at least the impression I got in general. Not saying Readwise would necessarily do that.
It's unclear from their terms if Readwise deletes all your data. I found no mention of the GDPR or an easy place to request a GDPR right to be forgotten request.
To their credit, they do mention "You shall have the ability to delete your Account at any time at https://readwise.io/delete." in their terms, but that page is behind an account login (so I can't see what it says unless I already agree to this term). Does account mean login credentials or all data? That's not clear to me up front.
"Oh, so you want [a copy of your data/to delete all your data]? Please prove you are who you claim to be, first."
This is at least the impression I got in general. Not saying Readwise would necessarily do that.