But thing is, PII is not "live ammo". Artificially designating it so simply raises the cost of working with it. Doing that designation through an amazingly dumb law just makes EU Internet startups unfeasible. Meanwhile, US and Chinese startups flourish since they don't have this limitation.
I worked for a number of American companies, not beholden to also serve EU markers. They still did not demonstrate any cavalier attitudes towards PII though. Nobody wants to be the subject of some data leak front-page story.
Of course not, but there is a huge difference between market-demanded standards and quality and government-mandated ones. In more ways than one: cost, difficulty of implementation, UX, etc.
A real, practical example is that US web startups do not have to annoy their US users with cookie banners for simply using Google Analytics on their website - like the EU ones must. Underneath, the implementation and PII data protections are exactly the same, but the UX is night and day.
Handle PII as you would handle live ammo. Always know where you store it. Don't toss it randomly. Don't experiment with it; neutralize it first!
Use it to hit particular targets, and never shoot it at random directions.