They can't under GDPR. The DMA is for market access - there are other laws for privacy. Those require use commensurate with what is needed for the service, so anyone who e.g. scraped all of a user's local info and stolen it would be breaking EU privacy laws themselves.

This is not complicated. Even in the US, every other industry is regulated to your benefit, you're just used to it and haven't realised. Digital technology obviously needs to be too. And yes, you have to do it properly.