Counterpoint 1: "But X does something even worse than Y" does not mean we shouldn't care what Y does. This happens to be a forum about Y, so of course we're talking about what Y does. Just for argument's sake: Yes, there are many many companies out there that collect much more intrusive data. So what?
Counterpint 2: You have fundamentally misunderstood the GDPR framework. For the GDPR to even apply, according to Art 2(1) PDX has to process "personal data". Under Art 4(1) this means "any information relating to an identified or identifiable natural person". So if PDX were to wholly deal in aggregate statistics and leave out any personal identifiers, they would only be handling anonymized data, which wouldn't even fall under the scope of GDPR and hence require no consent. In making this huge deal about GDPR complicance, PDX is tacitly admitting that they don't do that. Sure, the end goal may or may not be a broad statistical overview, but either they are unable or unwilling to do it in a truly anonymized way.
Counterpoint 3: Only thinking about the end goal of data collection in an ideal world is a bit short-sighted. Data gets lost (on an old harddrive), stolen, mishandled (sold by a disgruntled employee), company ownership and policies may change, etc. Part of the GDPR's focus is making companies really think about what kinds of data they collect, whether this data is really necessary and in what way it is collected and stored to mitigate long-term risks. In this light I don't find your argument very compelling.