[Silhouette]

A noticeable number of websites outside the EU did block access to people who appeared to be from the EU when the GDPR was introduced.

As for over-reach, the practical reality is that laws can be enforced extra-territorially if, and only if, the country that wants them has leverage. In some cases, that comes from making deals with other governments, where one or both give weight to the other's claims voluntarily in their own territory.

In other cases, it comes from networking effects. If you are a US-based business running a US-based website with no presence of any kind in the EU, then maybe the EU can't do anything to hurt you. On the other hand, if you have any relationships with other businesses that are within reach of the EU, they might be used as leverage to reach you.

Worst case, you find that anyone connected with your business who travels to the EU or anywhere with a relevant extradition treaty gets arrested. Obviously a reaction that extreme is unlikely, but if perhaps a government thinks you owe them lots of tax money or the personal data you aren't processing according to their wishes relates to some matter of their national security, stranger things have happened.