There are ways. Placing regulatory burdens or legal liabilities on anyone running a social media instance would quickly make Mastadon untenable. Something as simple as manditory age verification might be enough.

Legal strategies won’t work effectively, just as they haven’t against BitTorrent pirating and sites like the pirate bay. Likely there will always be a jurisdiction where those restrictions don’t apply.

The instances can move to jurisdictions where the regulatory burdens and legal liabilities are slightly different.

How are they not in compliance?

For example by not providing a privacy policy that contains all the information required by GDPR article 14.

Wouldn't that be only applicable if they were harvesting people's information submitted by other people?

My first thought is that people running Mastodon wouldn't qualify as data controllers, but I am no expert in GDPR laws.

It’s also not massively violating copyright. Napster was shut down through legal action.