A user restricted by the readonly role is not allowed to change his own 1) email, 2) password nor 3) 2FA settings. The error message is shown in the attachment. I verified that adding Admin / PERMIT_ALL permissions to this same user allowed him to complete these steps.
All users, including readonly limited, should be allowed to change these three things about their own profile. We probably need to make an exception so that any user can update any of these fields regardless of their roles assigned.