Why have you isolated one element from a multiple element sentence:

If

* core activities * require * large scale * regular * systematic

If you tick all those other boxes, but are concerned that your processing may be teetering on the boundary of 'large scale', I would be cautious and assume your liable.

All repeatable processes are systematic, almost the whole IT goes into the category. And "core" is undefined too.

I agree that it is safer to imply you're liable.

These are excellent questions that you will have to have shown you've considered if you get audited. If there's disagreement with the regulator, you'll come together to resolve it, and then may need to appoint one.

Well, so it's undefined, at least until practice of legal application establishes. Undefined means risk, and stopping serving EU is a meaningful mitigation, if your profits don't compensate you for all the hassle. Where's "overreaction“ then?

Monal is an XMPP client running on user's iOS devices. Is that person even running an XMPP server for those users?

A UK privacy attorney I know considered 20k records (individuals) to be large scale. I haven't seen much helpful guidance. The WP29 guidance I've read only gives examples at the very extremes of large and small so not too helpful. Practical guidelines will evolve over time.

I guess if you have to ask that question you are not a large scale.

I don't think an argument of such kind would stand in your communication with regulators, or (especially) in courts.

This is "what will you do if the lightning strikes you" thinking. Only about less probable things.

I'm not sure I understand your point. Do you mean “they won't catch you"?

They won't even manage to precisely decide what actually means 'large' let alone if it applies to you specifically, before you die of old age.

The above statement will apply to everybody or nearly everybody (still not you).