There are ways to make this problem less bad though. You have your permissive case and then write a number of examples into the law that show what you do not consider allowed and invite future courts to consider them. Pre-emptive case law (which is a lot cheaper than actual case law), if you will.
Which is exactly what has happened. GDPR (or any other piece of legislation, really) explicitly enumerates some of the situations.
E.g. Recital 47 on Overriding legitimate interest:
"The processing of personal data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest of the data controller concerned. The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest."
I.e. Facebook is entitled to use your data for their own direct marketing (e.g. sending you leaflets, sale offers or telemarketing) to you according to this. We can guess how did this provision get there (likely the lobbying has been fierce).
Or Article 22 on automated processing/profiling:
"The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her."
A lot of people make all sorts of comments on GDPR (and other regulation) but it is unfortunate that very few have actually *read* what they are commenting on.
It is interesting which special cases are explicitly noted in the GDPR (credit scoring for instance) and which classes of data are specially protected (political alignment, medical data) - and where the lobbying shines through by omission.
I would give the legislators some credit there. While it is certain that the lobbying has been fierce (as with any legislation) and that no law is going to be perfect and make everyone happy, it is a bit of a tall order to expect the lawmakers to anticipate all sorts of crazy business models and legal theories someone could come up with in response to the legislation and prevent them.
That's just not realistic, esp. not when technology is involved which evolves at light speed compared to the comparably glacial tempo of regulatory and legal world.
E.g. GDPR has been proposed in 2012, adopted in 2016 and fully in power since 2018. I.e. the entire process took over 6 years!
Where was e.g. Facebook or Amazon in 2012 and where is it today? What about siphoning of (also personal) data by various AI training systems - is that covered by GDPR too or not as they are not really "stored" in the resulting models? Not something one could ask the legislators in 2012 to anticipate, really.
