GDPR does not refer to specific formats or technologies for data portability. GDPR demands portability in a " structured, commonly used, machine-readable and interoperable format" (Regulation 68). XML is a structured, commonly used and machine-readable format. WG29 expressively refers to XML, Jason, CSV. So IMHO XML is according to legal demands.

Recommendation:
GDPR demands secure transmission of the data. So in a way you should inform the owner of a b2e instance that she has to take care for a secure, end-to-end encryption and that this is nothing the b2evolution Software can establish. This way you can comply with the demand on information towards this issue.

Therefore:
The owner of a b2e instance should be able to customize porting. In case she could not offer e.g. SSL or another secure end-to-end encryption she should be able to stop the process before providing to download and give some information to the user instead. The owner himself then has to find a way to send the data in a GDPR compliant way. (E.g. she could encrypt the data by veracrypt, truecrypt or PGP and transfer the data. The user, who asks for data transfer should have the option to choose by a form. But software automation does stop at this point of process and further handling lies in the responsibility of the collection owner in case there is no SSL)

Ok, is the user allowed to specify “ I don’t care about security, just let me download my data now!” ?

@fplanque sorry, I got no push notification of your last posting or did not recognize the mail.

Not so easy to answer. The user should have an option to download the data in a secure way.
If both options are available, may be it is GDPR compliant to offer an unsecure download, too, which can be used after consenting. But I doubt, that offering no alternative to an unsecure download is compliant to GDPR.

We'll make a file available to the admin and the admin and user can decide how to transmit it.

IMHO, that will work