Servers processing IP, User Agents, Emails etc as part of security is not part of the agreement to share with the fediverse.
So, an instance that federates will be able to receive the publicly shared information for free (usernames, displaynames, profiles, posts & comments). They wont get any PII that a user does not explicitly share (by writing it in a comment).
But if an instance started selling the information of their own users, then that would be in violation of GDPR.
Yep, only the necessary data is federated. The other relevant data that's logged (which is much less than what other social media platforms collect to be fair) could potentially be abused