The GDPR applies to all EU citizens; so the EU may not always be able to enforce it, but if it can it usually does. So if for example a company infringes EU citizen rights in the US the EU courts can (and sometimes does) fine the company if it has a presence in the EU (i.e. it is capable of enforcing it).
My understanding is that it applies to data on people in the Union, and data on all citizens of EU countries whether or not they are physically in the union.
If the entity doing the processing is established in the Union then it applies to all of that entity's processing of personal data, regardless of where that processing takes place or the citizenship of the people whose data is being processed.
Same for entities not established in the Union but in a place where Member State law applies. The example they give in the corresponding recital is in a Member State's diplomatic mission or consular post.
For entities not established in the Union what it says it applies to data subjects who are in the Union in regard to activities related to offering them goods and services or monitoring their behavior as far as their behavior takes place in the Union.
