So, here's a question. I'm a small self-hoster, US-based. If the "London police" come calling asking for my data, what repercussions do I face if I just say "No"?
Only the repercussions that the UK government could exact upon you. If you have no assets in the UK and don't plan on going there, there is relatively little they can do to you.
It's important to note that the CLOUD Act does not compel you to respond, it permits you to do so where you were prohibited before under US law.
If you had no assets in the UK and you accept you can never enter the UK....
You could get away with saying No. As long as the UK doesn't talk to the US and ask them to turn you over (which likely requires some serious criminal activity rather than curiosity).
The UK government can compel you to give them whatever they want by indirectly acting via the US Govt. They will pressure the US Govt the US Govt will act on you. So even though on paper they can't directly act against you, rest assured, they can. Lets pretend that the US government would not comply with requests to compel you to give them something, you can still be sued or otherwise acted upon in such a way that you would have to expend time / resources to fend off the request / lawsuit or whatever. So to say that the UK Govt can't do anything to you because you don't have any assets there or don't want to go there is kind of silly IMO.
This is incorrect. The US government has no interest in turning over their citizens to the UK government. The UK government is unlikely to sue a US citizen in US court to assert their jurisdiction.
The most the UK government would probably do is issue a Mutual Legal Assistance Treaty request with the US government, who would then go get a warrant and serve that on you, which you would have to respond to.
