Since the European Union have officially endorsed mastodon (social.network.europa.eu) as long as your instance complies with GDPR, you are not liable for actions taking by bad actor using ActivityPub to do bad actory things.
I am not sure about how that applies to data being sent to non EU servers as lack knowledge about GDPR.
I can give an educated guess about GDPR:
Since the European Union have officially endorsed mastodon (social.network.europa.eu) as long as your instance complies with GDPR, you are not liable for actions taking by bad actor using ActivityPub to do bad actory things.
I am not sure about how that applies to data being sent to non EU servers as lack knowledge about GDPR.