The problem is federation in general. This is exactly why it’s a general privacy and GDPR nightmare… even if you hate corporations and use all alternative stuff, you’re still handing all your data over to them in the end anyways, because you (or most other) servers you federate with, federate with them too. And when servers (like matrix.org) use MITM-as-a-service providers like Cloudflare, they can see all the TLS-decrypted data too. Even with e2ee enabled for a room, the only thing that’s encrypted is the message itself (not the sender, or timestamps, etc.), basically there’s lots of other metadata that can be gathered without the message contents.
There’s also a big problem with servers defederating from each other, so in that case you never really know who or if anyone else is even seeing your messages… basically you’re just choosing which wind to piss into.
Basically nothing happens in most cases. In your example of a local Australian company, no they are generally not forced to comply with any EU law unless they also do business there in some way.