In essence, your connection to a given peer is encrypted in a way that only you both have the keys, even if someone breaks that key (such as the peer being a bad agent) it would not compromise your connection with other peers as they will use different keys. It is quite an awesome protocol.
It's nice but the fact that you can never delete a message in your feed means that it doesn't really work as a social media protocol. Some people see that as a feature since it is theoretically uncensorable, but that's not how humans like to interact.
I have been using patchwork[1] as my main social network client for scuttlebutt. In my current experience, the fact that messages are not removable makes me more careful when writing and has led to much better and more meaningful interactions on the network.
Also remember that a message being in the feed doesn't mean it is displayed. Scuttlebutt is quite flexible, there are clients that have support for "chess messages" so their users can play chess, patchwork doesn't support those messages so I don't even see them. There is git-ssb[2] which allows people to host and contribute to code directly inside the feed, not all clients show these messages but they are all there.
New messages could be added for flagging a message id as deleted and clients could honor them and not display that message anymore, they would still be on the feed, much like in version control systems we still have access to deleted files (if no one rewrites history).
I enjoy how permanent things are there because as a side-effect it causes people to care more about the ecosystem and culture as those are permanent stuff you're putting out there. Check out this essay "the future will be technical"[3] about the culture on scuttlebutt, you'll see it is quite different than other social networks, but I agree with you, your experience may vary and what I consider an advantage, others may see as a reason not to use.
I am not a lawyer either, but doing a quick read on the scope, I found in first phrase:
"The regulation applies if the data controller (an organization that collects data from EU residents) or processor (an organization that processes data on behalf of data controller e.g. cloud service providers) or the data subject (person) is based in the EU."
And this might not apply as there is no data controller, organization or company. You data is on your computer and it replicates that data to friends and friends of friends. There is no cloud or service involved, it is from one machine to the other, I believe someone that has real knowledge of legal matters and p2p should chime in. I am also a bit lost regarding this.
I contacted an e-chum who is a lawyer specialising in the field of IT, IP and media law [0]. He pointed me back to Article 17 of the Regulation, Right to erasure ('right to be forgotten'), which is contained in [1].
This states that:
"The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay ... where .. the data subject withdraws consent on which the processing is based..."
Paul also expressed the view that: "It’s certainly been written in a way that should require systems to be created to allow for the deletion of personal data, though!"
That intent is key here. Basically: if someone asks you to remove their data and you refuse (or fudge, etc.), then don't be surprised if the EU comes knocking.
Surely that means that the people who replicate it from your ("your friends" and "your friends of friends") would be required to delete the (personal) data?
https://ssbc.github.io/scuttlebutt-protocol-guide/#handshake
In essence, your connection to a given peer is encrypted in a way that only you both have the keys, even if someone breaks that key (such as the peer being a bad agent) it would not compromise your connection with other peers as they will use different keys. It is quite an awesome protocol.