It is easy to disable MFA for myself, by going into my profile page.
However, the biggest reason someone might want to disable MFA is that their current MFA isn’t working for some reason and they are unable to login. In that situation they are unable to disable MFA for their account.
I can’t find anyway for the Owner to disable MFA for a user that has locked themselves out in this way. The only discussion I can find is about disabling MFA completely.
As an aside, I figured out it is possible to extract a user’s TOTP token from /config/.storage/auth_mfa.totp which can be used in case the user’s OTC generator app has for some reason got out of sync. This fixed my immediate issue, but being able to disable a user’s MFA for them would allow them to fix their MFA if it gets broken.