But they have (a lot of) EU users, and they gather PII from those users (such as email, or in some cases username == first name or full name ; and profile description can contain PII ; they probably also get our IP) so they still must abide by GDPR.
If you have EU users you can't hide behind "well *my* country says you can take PII and not charge VAT and not provide refunds, and I don't care about 3D Secure or DSP2 when I charge EU credit cards etc etc."
You have to either comply with the law to get those users and customers, or withdraw from there.
It seems logical that as a citizen of [insert country] I should be able to rely on my own country's protections against [insert risk] whether the third party is from my own land or not.
Well yes. If a company is in the US and they didn't want to abide by GDPR, then their service can simply not be available to EU users.
Many US sites do that when they locate your IP in the EU. You basically get a "sorry, this is not for you" banner and you're SOL trying to get to the content
If you have EU users you can't hide behind "well *my* country says you can take PII and not charge VAT and not provide refunds, and I don't care about 3D Secure or DSP2 when I charge EU credit cards etc etc."
You have to either comply with the law to get those users and customers, or withdraw from there.
It seems logical that as a citizen of [insert country] I should be able to rely on my own country's protections against [insert risk] whether the third party is from my own land or not.