That’s a pretty good interpretation.
You have no automatic right to any data, and you either need a legal right (performing a service counts, as would performing legal duties or criminal investigation) or the user consenting.
Without clear proof of consent, it’s tough but I think you’d be safe doing one round of emails to long dormant accounts with “we haven’t heard from you, and so under GDPR we are going to clear out the data we have on you after a 30 day period”
Those who care can then reconsent, those who don’t, you’ve done your due diligence.
This at least would be above board under the ICO guidance. YMMV for other EU territories.