A user making a message board post anonymously isn't actually making an anonymous post, all that's happening is their username is being obscured (but exposed by "My Posts" tab). When the user is processed for GDPR export their anonymous posts are being included in the export, potentially exposing them to the data handler or anyone with access to the exported zip file as the author of anonymous posts.
User's exported data shouldn't include posts that were made anonymously before GDPR was enacted. User should have some better assurances that they won't be exposed as the author of a post to the data handler (if the data handler should maliciously open the password free zip file).
User's exported data include posts made anonymously before GDPR was enacted.
Note: This is an ongoing issue with liferay where anonymous posts are not dis-associated with the user who authored the post and the author continues to be exposed through various malicious attempts to expose the true author.