The reverse engineering is really secondary to the regulatory regime. The company in this story had already been investigated and fined before anyone had tried to reverse-engineer their app.

It's an offence under GDPR to fail to cooperate with a supervisory authority. There are extensive record-keeping and transparency requirements. Trying to play cat-and-mouse is itself illegal and likely to be legible to the regulator.

https://gdpr-info.eu/art-30-gdpr/