As r10s has already said, this requires either a centralized server or a binding to personal data such as a mobile phone number. I can only propose a modest solution to reduce the likelihood of compromise, namely creating a master key during profile creation. After that, if an attacker attempts to create a backup or clone the profile, Delta Chat would request the master password to proceed with the process.
salt = random
key = KDF(password, salt, cost)
verifier = HMAC(key, "DeltaChat master key check")
I understand that there is already a system-level lock on Android. On Windows, however, it is possible to steal the blob and decrypt all the contents using the portable version. Still, it’s better than nothing — at least in cases where the attacker knows the system password.
The only thing that can realistically be done at the moment — and I have suggested this before — is at least to know the number of active sessions. For example, if Delta Chat were to send an email at least once a day to the user’s own address containing information about the current device with a specific subject line, the client could then display this data in the “Connection” section (where the current mailbox size is shown): the device name and the last session time. In other words, the time when the last email was sent would indicate when that device was last active in a session.