Right now we just save the @mention text, not the actual user association.
And provided this does not provide direct attribution, then this is in fact acceptable and within GDPR. For example, having John Smith as the @ name is obviously providing attribution (but you could argue that the name means nothing given it's popularity and it would be a valid point), but a handle like "theWasp" doesn't - unless there is a post that directly correlates that handle to a physical person.
For example, if someone posted "@thewasp is John Smith who lives at ....." (you get the picture), then this clearly provides direct attribution, and you'd have no foundation to keep data in this manner. Unfortunately, the only way around something like this is to develop a plugin that performs regex matches and purposely looks for data to redact or expunge.
This specific method can be expensive (in the performance sense) on large forums and associated databases, and complex in nature owing to the type of regex you'd need to build. Even then, you cannot possibly catch everything because you'd run into issues such as the regex being too "greedy" (affecting large portions of text in a gratuitous nature) or too lenient (not going far enough). There is seldom any sensible balance - it's either too much, or not enough.
You'd need to search the entire database looking for possible matches, and that would take significant effort to ensure you removed or redacted information that could provide attribution.
This is where the waters of GDPR and privacy become muddied in the sense that you need to impose sane limits on what is necessary to either remove or redact. For example, if a user claimed that "the" personally identified them, you couldn't remove it for obvious reasons otherwise literally everything your other users have posted would need redaction, and that makes zero sense.
This is why "legitimate interest" exists in the first place. You are entitled to keep data intact if it is considered impactful to the consistency if you were to remove it, but you cannot claim implied consent (assuming it's ok to keep without foundation).
GDPR is a complex animal and most people either go way overboard, or do nothing at all, which is arguably worse. NodeBB has this balance just right.