My understanding of GDPR is that, theoretically, any service which is used by European citizens is subject to GDPR. It's the citizenship of the user, not the location of the hosting or service.
Under the same kind of reasoning, Hong Kong’s security law of a couple of years ago has global reach and European citizens in Europe can be held responsible for violating it if they say the wrong things.
Technically true, but in practice, jurisdictional limitations mean that this is often ignored without consequence by those who do not have a financial presence in the EU.
The EU can claim whatever they want - ownership of the moon, taxes from Chinese villagers, or that US companies in the US have to follow their little rules. Doesn't mean they have the right, jurisdiction, or authority.
