After introducing the locking in #24790 no CSRF token will ever be deleted
After introducing the locking in #24790, fetching the probably updated token array and merging this with the token array of the current request, all tokens that have been unset during this request are again added to the array (they are present in the fetched array of tokens).
Keep track which tokens are added and deleted during the request and update the token array accordingly.
Since we now know if changes are made to the token array during one request, we could simply skip the locking and persisting, which saves quite some time for modules that do not create or validate tokens (which most modules do not do).
(issue imported from #M17490)