It's the other way around. The law protects according to point of access (EU soil), not according to nationality. So an American tourist in France would be protected, but not a French tourist in the US.
This is just like most laws, when you're a tourist in a foreign country you have to follow the local laws, not the ones from your passport country.
This is technically true, however if the site is not targeting EU residents, the traffic is supposed to be considered incidental and the GDPR is not supposed to apply.
This is just like most laws, when you're a tourist in a foreign country you have to follow the local laws, not the ones from your passport country.