You tell me, you sent me away.
I think data protection, retention, access, rectification and deletion laws are going to hit anyone hosting an instance. The EU is also in the process of introducing a “data migration” law, that is mostly targeted at “large” social media, but we’ll see what ends up getting approved.
I’m not a compliance expert, but what I know about these laws makes me fear setting up an instance just to get hit by whatever fines.
Could it be a subdomain, though? What if a spammer started a “Lemmy instance as a service” on “legit.ml”, and started creating instances on “lemmy.u<number>.legit.ml”? What if some of the instances were actually legitimate, while thousands of others weren’t? What if… oh well, the rabbit hole goes deep on this one.