GDPR would be fine if they had a limits for small businesses. As written, startup founders don't have the resources to comply, so they often end up blocking all of Europe.
A lot of times, it's not even spying on users. It's not wanting to put in the time and effort to determine if you are in compliance or not. So you block all of Europe and you get around to it if you ever have the resources or care. You might have been in compliance the whole time, but why chance it when IP blocking is easy. That's basically every local US newspaper right after the GDPR passed. Hell, I've worked for companies where I literally know we're not tracking users and we're pretty secure, but we block the EU because no one has the time to check if there was something specific we needed to do. My current company had to rarchitect their entire to deployment pipeline specifically for the EU, not because we changed literally anything, but the laywers found that there was about our cloud host provider that the GDPR disallowed because it was hosted on US soil. We have 1 EU client. I assume if they weren't so big we would have dropped their contract.
My wife and I run a small (2 person) business in the EU. The largest hurdle was finding a hosting provider (VPS) that wouldn't transfer data outside the EU so we wouldn't have to add SCCs to our privacy policy. As a business owner, I'd say the balance is still positive, it forces some self-reflection on data gathering practices.
Not sure about the "hosted on US soil" part, if you are a US company, the data gets transfered anyway when you view it.
Why do you think not being willing to put resources to comply to rules equals to intentionally "spying on their users"? How come you think the rules assert that businesses are not able to spy on their users without their consent? You should better look what's inside the law's box instead of just looking at the packaging.
The value data has varies a lot... Something like behavioural targeting data for marketing is probably inconsequential. But what about health care or financial information? Those could have actual larger impact. And they could be handled by pretty small business.. It is easier to give generic guidelines than to specify each sector separately.
If you're too stupid to handle a simple "do not track, write down that you do not track, do not sell your users to others" policy, I have bad things to say about validity of the rest of your startup.