It seems to me that they way you have divided up the roles, you actually need 4 devices, because you need one to run commercial apps which are linked to identity (which rules out device 1) and which will only run on a "secure" device (which rules out 2 and 3). For example banking apps.