It’s also a statement that sometimes requirements conflict. As a business owner, I’m required to keep proper books. That means every invoice needs to be on the book for at least 10 years. But invoices contain personal info - a name and address at least, possibly other data. You can’t require me to delete those invoices on GDPR grounds and violate the bookkeeping requirements.
And unlike data collection by random companies, data collection required by law is subject to public and judicial review. Laws are known - what data companies collect not necessarily.
That comment was not inspired by mistrust of the State. (I would trust the average European government far more than I trust my own.) I'm saying that private firms will use this ready-made excuse to intentionally exceed the limits placed by a straightforward reading of GDPR.
Remember that Europeans trust their State more and their companies less than US citizen, on average. The law simply reflects that state of mind.