Forget all the stuff out there that says the GDPR protects EU citizens. This is a question of jurisdiction and enforcement. Say I run a blog under a business registered in the US funded by advertisers in the US. A EU citizen that comments on posts issues a GDPR request that I ignore. Their government fines me. I tell them to get bent, I am out of their jurisdiction. What can they do at that point?
The Trans-Atlantic Data Privacy Framework (and subsequent executive orders) protect the EU citizens from misuse of their data by US law enforcement and intelligence communities.
They do not give EU citizens any rights concerning data held only by private companies, apart from the rights all Americans already have.