For API driven Apps the current authentication/authorization middleware doesn't work because the link in email can't provide a Bearer token. But the links still shouldn't be fully public.
A nice and easy solution would be a temporary signed URL.

// mail.blade.php
\Illuminate\Support\Facades\URL::temporarySignedRoute('personal-data-exports', $deletionDatetime, ['zipFilename' => $zipFilename]);

// PersonalDataExportServiceProvider
Route::get("$url/{zipFilename}", [PersonalDataExportController::class, 'export'])
    ->middleware('signed')
    ->name('personal-data-exports');

This way there isn't any need for a session/cookie anymore and the export is still protected.