I don't think having 3 encrypted backups of my wallet.dat will ever fail. In order for this to happen, all my backups need to be compromised (destroyed actually), at the same time, or at a small period of time in which I will fail to realize it and take precautions. It's extremely unlikely that 3 digital media will die at the same time and it's also unlikely that 3 locations will be compromised at the same time.
Apart from forgetting the encryption password, here's another scenario. First: when you say 3 backups, does that include the wallet you're using? I assume so. So by the time your system fails and you realize you need your backup, you'll only have 2 backups left. You're nervous, not very careful, and before you know it, you have only 1 backup left. Or you messed up one of your backups while you created it.
Do you at least check if you can restore from your backups once in a while?
In my view, making digital or physical backups isn't enough. We need to consider situations in which we're forced to show our backup. Let's say your government becomes a persecutor, an inquisitor, and decides to confiscate your coins. What's the plan of action? I've already given some tips on this, but I think for our own sake, it's best for everyone not to disclose their backup method for their own safety.
There are already countries creating legislative extensions to include Bitcoin and similar assets as confiscatable assets (
this is already happening in my country).
That's why it's important to plan your backup carefully and test it periodically to make sure it will work when you need it most.
You don't need to go much further. We know that an encrypted backup like wallet.dat will work if you're truly certain you encrypted it correctly and have control over the password. The same goes for those who make BIP39 mnemonic backups. However, the higher the level of encryption, while improving security, increases the risk of operational error. Therefore, it's essential to start with test wallets with very little funding.
Each individual should self-assess their security based on their threat model.