No if this is the case, they can't service EU citizens at all because US companies can't have any EU data because they can't protect EU citizen data.
The only way to service EU customers is when we assume entering data on an US website is not exporting data from the EU to the US by the US company. Just like when I go into a Walgreen in NYC as an EU citizen.
For the last decade US and EU companies have ignored the fact that it is/was mostly illegal do transfer EU citizen data to the US (it is currently legal but will be illegal again) - also every EU company that exports data to the US (e.g. by using Mailchimp) needs to guarantee the safety of the data by auditing Mailchimp, no one does and there have been no fine for now, but I assume there will in the future.
"The EU parliament raised substantial doubts that the new agreement reached by Ursula von der Leyen is actually conform with EU laws, as it still does not sufficiently protect EU citizens from US mass surveillance and severely fails to enforce basic human digital rights in the EU. In May 2023 a resolution on this matter passed the EU parliament with 306 votes in favor and only 27 against, but so far has stayed without consequences."
Someone randomly walking into a Duane trade in Seattle and purchasing a device would not be reasonably coveted under the GDPR
However if 23&me were targeting European citizens that would be different.
Despite what the adtech industry likes to claim online, Bobs Burger Joint in Baltimore does not have to be specifically concerned about abusing their customers data even if a customer happens to be an EU citizen.
Now if they shipped frozen burgers to France online then sure they would. If they sold “merch” in euros they would. But a local store with a physical premises trading in person? Not covered.
A European citizen living in Austin buying from Amazon though, could well be covered. Amazon do target EU citizens
If Sam were to target an EU citizen then it would.