Forget all the stuff out there that says the GDPR protects EU citizens. This is a question of jurisdiction and enforcement. Say I run a blog under a business registered in the US funded by advertisers in the US. A EU citizen that comments on posts issues a GDPR request that I ignore. Their government fines me. I tell them to get bent, I am out of their jurisdiction. What can they do at that point?
It isn’t a treaty, even according the EU:
https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/eu-us-data-transfers_en
It is implemented via executive order which courts don’t have to honor. All it means is LE agencies have to take action. Courts are free to ignore the EO and dismiss any charges or civil suits. A treaty is a different story.