Commercial VPN services are somewhere between questionable privacy, and a scam.
The whole VPN business is seemingly a heavily advertised effort to collect and log all your data, and given a well-known anti-malware package was selling data about your activities and all of your web purchase history, I'd be surprised if various of the commercial VPNs weren't also engaged in similar data collection and re-sale.
Given the network position, the VPN providers can not only collect, they can also choose to inject content and advertising, too.
And given the credentials to many of these commercial VPNs are widely published, the security provided by the VPN is... greatly diminished.
Based on a posting or two around here in ASC involving the reported installation of digital certificate with a VPN app, and other postings about errors trying to access some network services that implies certificate errors, that certificate installation would permit the VPN provider to decrypt and access SSL/TL- and HTTPS--protected content; the already-encrypted content Apple devices use for network communications.
I mean, coffee shop and hotel Wi-Fi, or deliberately routing your content to large entities deliberately perfectly positioned to intercept and track your contents?
And this all given your network traffic and mail and the rest of your traffic should already be encrypted using SSL/TLS and with HTTPS access. This is part of why folks and providers have been encouraging mail connections be switched over to SSL/TLS, too.
Here's some more reading:
https://gist.github.com/joepie91/5a9909939e6ce7d09e29
https://www.buzzfeednews.com/article/craigsilverman/vpn-and-ad-blocking-apps-sensor-tower
https://www.michalspacek.com/i-dont-use-any-vpn-for-security-or-anonymity
Then there's the whole discussion of tons of spam about VPNs. That usually means tere's profit to be made here. From you, from your sign-up, and seemingly quite possibly from your data and your privacy. I mean, spam and pop-ups are bastions of honesty and truthfulness in advertizing, and widely used to market upstanding products and services, right?
If you really want a VPN, then there are open-source packages where you run the VPN server directly. Streisand and Algo are two well-known examples. There are others. If you control the VPN server, then you have better control over logging, too.
Note: Above applies to commercial VPN packages, and not to VPN clients and VPNs that are intended to allow you to connect into the internal networks of an organization that you're affiliated with. That's a different topic.
