I think so, too. Certainly, they should be in scope for the “data protection” part, or (extreme example) you would be allowed to log personal data to a publicly visible server.

To be clear, when I say GDPR doesn’t apply. I’m taking about information requests (the topic of the linked article).

The data protection part of GDPR of course applies to all PII regardless of how it’s stored. But that part is not new in GDPR, the EU has had strong data protection laws for a while. (Even if people didn’t talk about it)