All information centralizing in the hands of the few companies that can afford the consultants and lawyer time to figure out what the GDPR even means is an unambiguously worse outcome for people’s privacy.

I would go so far as “any company with a mature regulatory compliance function is an extreme threat to your privacy and not mitigated in any way by the GDPR” and “any company small enough to plausibly be found in noncompliance with the GDPR was never a threat.”

You make it sound nefarious. "Collecting" could be as simple as having a mis-configured webserver log that captures too much. Should a big company take measures to protect user data, and be penalized for breaches? Absolutely. Should a one-man-show app developer be slapped with a crippling fine for something slapped together just trying to see if he can make something people want and try out product/market fit? Only if your goal is to grant an unchallengeable de facto monopoly to the existing players.

Safe harbor is generally used for user generated content. How do you propose running a pastebin that's GDPR compliant?