Experts say a lot of things on GDPR, one of the really interesting things about reading it myself is that I've found a lot of them seem to be wrong. I've heard a few people talking about a "social media exception" that doesn't seem to exist, for example.

It's possible that there have been preliminary rulings on GDPR that I'm not aware of, because I'm not a lawyer. So I'm not by any means declaring that your experts are definitely wrong, but I am nigh on certain that their source of information for making such statements is not the GDPR text itself.

I disagree that GDPR is an overly broad law by the way. The GDPR text is actually fairly specific. It encompasses a large domain, but it clearly defines that domain (Article 9 is an example of a large but specific definition, although it is only one of multiple such articles) and tells you clearly what you need to do within that domain to be compliant.

People just /think/ it's overly broad because it impacts a lot of tech companies and none of them have actually read the text. The human brain interprets this as "inspecific", whereas it's actually carefully targeted at a handful of specific things that lots of tech companies are doing (or not doing).