That's how it should be. Sadly the EU is taking a very different approach of trying to set laws for the whole world based on very unclear (and definitely unprecedented) requirements. It's true that they will have no jurisdiction over the pizza guy - just until he comes to the EU or to an allied country. Another comment talks about how it's very likely that GDPR will be a requirement of trade deals.
Even then not. The territorial scope in Article 3 of the GDPR is not that far reaching. It applies to processors with establishment in the EU, non union data processors who perform a service to data subjects in the union or the case of the pizza guy:
> 3. This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.
So unless there is a treaty that puts GDPR into scope, the pizza guy is fine.
