I’m going to discuss commercial VPN service providers here. This as differentiated from private VPNs that you’re controlling the entire connection including VPN server, or VPNs with VPN servers that are controlled by an organization that you’re employed by or affiliated with. Remove access into a specific private or business network. Commercial VPN servers don’t provide end-to-end into a specific private network.
To be blunt about security products in general, there are whole lot of questionable, risky, or sketchy “security” products available. It’s one of the easiest ways to “hack” folks; to get software installed that can gain access to the user’s data. For one example, an Avast subsidiary was selling “Every search. Every click. Every buy. On every site.” An activity that many end-users of Avast products might not have realized. Or might not have appreciated.
Now for commercial VPN services? Do you understand what a VPN protects? Really understand it? You might want connection security for your unencrypted connections, yes. But you really don't want any unencrypted connections. Which means SSL/TLS everywhere, including all mail accounts. SSL/TLS is a VPN. Encryption which protects those connections.
Now what does a commercial VPN service get you? Sure, it encrypts the network connection. To the commercial VPN server. Where you and everybody else using that same VPN service are now all consolidated into one big centralized wad of easily-monitored and easily scanned network traffic. The VPN ends at the VPN server. Which means all of your at-risk traffic is now available for scanning, if an organization in that particular network position is so inclined. Which inherently includes the VPN service provider.
Now have a look at the VPN providers themselves. Some VPN companies that are hard to identify, and seemingly various of which are associated or affiliated with tracking and advertising companies. Which means that if the VPN providers are inclined to do so, your unencrypted connections are now available for their scanning and access, and for traffic analysis on your encrypted connections, and for monitoring your DNS access. All of which can now be tracked. All nicely consolidated together.
What are the chances that some of these VPN services folks won’t somehow exploit that centralized traffic access?
Worse for security, the mechanisms many of the VPN providers use for securing the traffic—generic passwords—mean the encrypted VPN traffic is entirely feasible to decrypt.
So... your call.
More reading:
https://www.michalspacek.com/i-dont-use-any-vpn-for-security-or-anonymity
https://arxiv.org/abs/1912.04669
https://gist.github.com/joepie91/5a9909939e6ce7d09e29
https://www.trailofbits.com//research-and-development/algo/
