IT/Networks engineer here. Regarding VPNs: Please always remember that a VPN service is just somebody else’s computer. Ask yourself, do you trust the provider to not intercept or monitor the traffic? Was the risk of the VPN provider being compromised by an adversary also considered? Commercial VPN providers to me sound like a nice way to put all the interesting traffic into one nice easy place where it’s susceptible to interference be it from adversaries or government. I don’t want to go fill tin-foil-hat, but I always feel like a blanket “use VPN” might not always be great security advice.
Personally, the only VPN I use is the one that I set up myself, terminating to a router in my house as I can trust both the client (my laptop) and the server side. This does however require trusting your upstream ISP to not be doing anything bad, and I get that not everyone will want to spend the time setting this sort of thing up.