>Only applies to EU citizens' personal data

That's not true.

The GDPR applies to the personal data of anyone physically in the EU, to the extent that the data are processed[0] while they are in the EU.

It also applies to the personal data of anybody anywhere in the world if the data controllers are based in the EU.

The reason why it's different to US sanctions/export controls is that the GDPR doesn't say you can't work with certain people in certain circumstances because of who they are in order to punish those people for whatever reason. It's fundamentally to protect the data subjects.

[0] which includes collection of said data