Allowing each tenant to move thousands of highly-sensitive internal tokens to a competitor is something the credit card processing industry, somewhat surprisingly, has more or less solved. Most credit card gateways that store card information on file in a PCI compliant way will allow a merchant to specify another competing PCI compliant service provider, and will export the merchant's information directly to the new service provider in bulk, without needing to provide any of the raw information to the merchant themself.
Via https://www.chargebee.com/blog/credit-card-portability-impor... it seems Braintree developed an industry standard for this in ~2010, potentially (I don't know the history) as a way to force Stripe to allow its merchants to move elsewhere in the ecosystem without holding their cards-on-file hostage. Based on the list at https://docs.spreedly.com/guides/exporting/ - all of whom support this workflow - it seems this was quite successful.
Ironically, the standardization site has been down since 2019, but I suppose it was no longer needed. https://web.archive.org/web/20190212151438/http://www.portab...
Its guiding light was to be "patterned after telephone number portability that was part of the 1996 Telecommunications Act" - which is quite telling in this context.
Point is, there is precedent for developing frameworks in which secure token storage platforms can allow you to freely move between them, with secure bulk data transfers. Apple and Google would do well to get ahead of this, lest it become a regulatory or PR nightmare later when high-profile stories accuse them of intentionally promoting lock-in.
