The GDPR indeed says the punishment should be proportional; but what does that mean to you? Are you sure it would mean the same thing to a regulator? A regulator who dislikes you? If they said that 10k email addresses and MD5-hashed passwords leaked from someone's game server was a worst-case breach, then I'd say that was ridiculous; but I don't see what in the text of the law lets me say that it's objectively false.
The USA has no concept of a separate entity for sole proprietors. It's just you, even if you're trading under a business name. If the GDPR didn't apply to that, then that would be a massive loophole, so I'm pretty sure it does. In any case, the real question is perhaps commercialness, where (a) lots of hobby projects have some small commercial element, ads or donations or a tee shirt or whatever (and to be clear, I do think privacy regulation should apply to them, just more specific regulation); and (b) I strongly suspect the GDPR applies to some noncommercial activity too--would the EU let a political group pull a Cambridge Analytica with all volunteer staff? I haven't researched that, though.
If I lived in Germany, then I'd probably have pretty good faith in my regulators. But imagine the example of that Soros-linked group in Hungary (which I'd edited my first comment to add, so you may have missed it). I don't think that's hypothetical--political organizations keep lots of data, so I suspect that somewhere, a group is making plans to comply with the GDPR, as interpreted by regulators whose government considers them "enemies of the state". What would you do in their place? Wouldn't you wish the text of the regulation gave the regulators less room to maneuver?
Well, they are seperate entities so the loophole exists for how the US handles it but in the EU there is no loophole.
>In any case, the real question is perhaps commercialness
Last I checked you don't need commercial elements like ads, donations or anything like that to be considered commercial. Running your own git server with open registrations would be considered commercial (there is additional seperation in that you don't have to pay taxes unless you are profit-interested).
>I strongly suspect the GDPR applies to some noncommercial activity too-
Monitoring of any kind that is strictly outside private interest.