GDPR and User Profile published as public

Hi
How does the setting User Profile is mandatory to be published public work with GDPR ?

Understandable that to register and login modules as user, this need to published public to function, done over HTTPS not to worry about,
but concerned about User Profile module as this shows a users profile and information or ?
Can see that the User Profile menu link can be moved to be child of another restricted menu, but this does actually not restrict access to Profiles, merely just hide a link do not protect users GDPR sensitive information to public disclosure, i.e. as web page owner not able to demonstrate you control such information as required.

Is it possible to restrict only to view profile information of registered users, if you are registered (approved by moderators / admin ) i.e. to see users full name, gender, address, birthday, relations etc... ?

You need a public profile menu item because its Itemid (used by Joomla for menu routing) is used as a fallback for any CB link that doesn't have a dedicated menu item. Without this you may find some URLs just not working correctly. Profiles themselves do not need to be public and you can configure them to not be public in CB > Configuration > User Profile. This limitation will be gone in CB 3.0 as we'll be rewriting a lot of this behavior.

Field access can be adjusted by changing the access of the tab they belong to, but if you want the best control over this you'll need CB Privacy where you can have individual per-user privacy controls for tabs and fields. CB Conditional can also be used to strictly limit access to individual tabs and fields.