Have been asking this myself lately.
People always seem to get defensive about this topic, but if an instance gets challenged on a GDPR investigation it could have a huge fine associated to it.
It is good to have this sorted out, so instance owners don't enter a life changing financial risk.
Currently we probably are too small and fly under the radar, but this could become a big problem as the fediverse scales.
Issues I wonder about:
How safe is the Fediverse? Is there a way for a federated instance to misuse the user data? Or can such activity be detected and cause a defedaration.
How easily can all user data be deleted if a request comes in to remove all personal data? Wouldn't that request have to be extended to all instances your instance is currently federated with?
Instances probably wouldn't be able to handle a bad actor (for example Meta, or spez) that decides to start a mass request attack.
Corporations have lawyers that deal with this stuff, I don't feel like most instance owners have the same kind of protection here.