It's obviously about regulatory requirements rather than a random hacker. If I host my data in the US, then I am subject to the whims of the US government, and as such they have jurisdiction over European data (which of course, is not protected in any way in the US, even by the meagre data protection laws that the US affords its own citizens).

> And think about it: is there a really huge increase to privacy? What exact attack scenarios does this defeat, and how likely are such scenarios compared to run-of-the-mill privacy breaches (lax security)?

Those are two entirely different scenarios. There's no reason both couldn't (and shouldn't) be handled in parallel. For example starting next year companies within the EU are held liable for data loss, with up to IIRC 3% of their global revenue. That policy handles the lax security concerns; no reason to not tackle other problems, like the one described on this thread.