Governments are exempt from GDPR. Further it is regulators, not individuals, who determine which data processing activities are lawful. GDPR certainly takes power away from companies, but it transfers that power to the state, not to individuals.
The GDPR does apply fully to government agencies, some requirements are even stricter (e.g. they always need a Data Protection Officer). Most agencies had to alter their policies because of that. What is true that there can be special purpose laws giving a government agency the power to process some data (e.g. by tasking them with collecting some information, such as say your income for tax levying). Member states can also pass laws to overwrite portions of the GDPR for some listed purposes, such as public security but those don't apply to the vast majority of governmental data processing. Naturally, that makes the government more powerful than private companies but certainly not more powerful compared to a time before there were data protection laws.
While those are valid points, it does also empower the individual. Being able to ask a company for their data on me is a huge boon that's gonna change the game.
