Pragmatic solution: On the hardware side, offer (at least) one (nano)slot. On the software side, allow adding as many eSIMs as device storage permits .
I like the simplicity of switching a hardware token from one phone to a different one, for example if the battery dies or you want to try something or whatever.
Securitywise, are there differences? In theory, duplication is not possible (for both), the provider should enforce that there is only one login.
Privacywise, a real SIM might be obtained anonymously, at least in some countries. (edit: Hm… probably possible for eSIM in theory, too, but never heard of it)
Now, a SIM has the PIN (and PUK etc.) locally. How does that work with eSIM? Probably, once activated on the phone, there is a token stored on the phone, so you might want to be sure 3rd party software has no access to it.