It doesn’t matter where the service is hosted, if it serves EU citizens it MUST comply with the GDPR, even if it’s hosted in USA, that’s why even the big companies like Google, Microsoft and all the others comply (or SAY they do, no one trusts FB on data deletion). So yes, they DO have power there.

Also, from what i understand you’re assuming federation means that everything is everywhere. That is not true. From what i see from Lemmy’s mechanisms (and from what my critical lack of caffeine allows me at the moment), if something is deleted on one instance it should get deleted on all as Lemmy sends the deletion request to other instances, and anything remaining from other places should be eventually deleted and flushed out of caches, that part shouldn’t be an issue there. So, the instance admins would be responsible only for the data of the users in their servers, not the others. And yes, they WOULD be responsible and legally liable if this is in fact a violation (still not sure, might be OK and not even a problem as “restriction of processing” from article 18, i guess i’ll continue searching tomorrow, it’s 2AM here and i’m done).