Concerned my iPhone 16 has a key logger

None of this is happening. Trying to directly access just ONE non-jailbroken iPhone costs a bare minimum of $100,000.

Unless you have data that is only on your phone that is worth that much to someone, you are not a target, and you have not been hacked.

And get rid of the VPN. It's useless.

Public VPNs are anything but private.

A VPN can do absolutely nothing to hide any data going between you and the site you're viewing since only half of the communication is encrypted. Anything going to the site from the VPN and back to it is in the clear, or the site you're accessing would have no idea what to do with the encrypted data.

A VPN has only two uses:

1. You're using it to send and receive content from a truly tunneled VPN at your place of employment. Only the servers at the office get the unencrypted data from you as output from the VPN. Anything coming back to you is encrypted. Meaning, anyone trying to capture data between you and the office will only ever see encrypted data. A hacker would have to somehow breach the business' server on the clear input/output side, or your end to get anything.

2. You're trying to hide yourself. Since a VPN encrypts what's coming back to you, it does a good job at hiding what IP address the data is going back to (and as the link above mentions, even this doesn't do a good job of hiding you anymore). However, any and all VPNs log this data. If you do anything illegal and law enforcement tracks the clear data back to the VPN (and they can), they'll demand log data to see what IP address the data was output to. The site running the VPN will give you up. They aren't going to go to jail for what you do.

Free VPNs sell your data (just one of many sites explaining this)

This isn't exactly breaking news. It's been known for a very long time that free VPN's (in particular) log and sell your data. How else do you think they pay for their servers?

It's the same model as Google, and in particular, Chrome. You are the product. Chrome runs a background daemon from the moment you turn your computer on, whether Chrome itself is running or not. Its job is to constantly send anonymized data back to Google about your web and personal computer usage.

No matter what web site you're communicating with, only what you send to the VPN and it sends back to you is encrypted. Every bit of data out of the VPN to the site you're visiting, and from there back to the VPN is the same as using no VPN at all. It has to be, or the sites you're visiting would just get a load of encrypted data they can't do anything with. NordVPN has recently been sued for deceptive practices by making it nearly impossible to unsubscribe

VPN reviews you find online are also almost completely untrustworthy:

Former Malware Distributor Kape Technologies Now Owns ExpressVPN, CyberGhost, Private Internet Access, Zenmate, and a Collection of VPN “Review” Websites

And in the modern internet world, you don’t need a VPN anyway. Most web sites now use HTTPS (secure communication). When you connect to such a site, a one-time use encryption key is generated between your browser and the site. All communication for that site is then already encrypted. A VPN does nothing but uselessly encrypt the encryption. It varies with the browser you’re using, but Safari indicates a secure connection with a small icon of a lock by the URL of the site.

If items on your phone are changing (photos being deleted, contacts changed/added/removed), or other such things, then someone else knows your Apple ID and password. With that information they can login as you from any other device and see all of the same iCloud synced data you do. They can also then do whatever they want to it, the same as you.

Go to Settings. Tap on your name at the top. Scroll to the bottom. Are there are they any devices listed you don't recognize?

Did you jailbreak your device and give it to someone for about an hour without knowing?

There is no key logger.

They aren’t. Your device cannot be accessed remotely. Software can only be installed by you through the App Store. You’ll also want to remove mcafee from your Mac. It is unnecessary and provides no protection.

There is indeed a limit on how many devices can be attached to a single user ID. Five per year. After that, you have to release at least one of them to add a different device.

But anyway, it sure sounds like multiple people are "sharing" your account. Or, one person with multiple devices. Either way, they don't belong there.

Go to:

icloud.com

Login with your ID and password. Hopefully, the other user(s) haven't changed it, locking you out.

If you can get in, tap on the generic human icon towards the top right and tap Manage Apple Account. This will open a new page.

The very first thing to do is change the password to something that is not easy to guess. Immediately follow that by clicking one the Devices link.

Tap on each device that isn't yours. In the window that appears, tap Remove from account.

For each device you do own, you'll need to logout and log back in with the new password.