If you make your profile available publicly then I'd argue it is indeed public. As far as I'm aware, Clearview doesn't have a relationship with Facebook to access non-public data and instead they just operate a web crawler storing anything that's being served without requiring auth.
An image at the top of a news article on cnn.com is "public" in the sense that anyone can access it. But the company and the photographer still retain rights to that image - you can't take it and use it for whatever you like.
What is confusing here is that everyone imagines that clearview (and google, and fb, ...) are really storing those pictures. In reallity they just train their ai. There is no trace of that picture on their servers once you delete it. But ai is capable of recognizing you, in case of clearview from picture. In case of google and fb from your picture, browsing habits, contacts, gps coordinates, your friends, semantics of your texts, ... The only difference is that google and fb are not so stupid to advertise this. But capability is there.
IANAL but I think the GDPR does not just look at the data in isolation, but considers the data and what it is used for.
Thus if I give a company access to my data it does not give them a carte blanche to use it however they see fit, instead I have allowed usage of the data for a set of purposes.
