I happen to agree, but want to add that the thesis is “most people don’t need a VPN,” which is arguably true. Most people simply aren’t that interesting, and aren’t at risk of being individualky targeted by a motivated adversary or hostile nation state. As long as they’re using HTTPS while doing so, most people no more at risk shopping online, reading email, doing Social Media, or conducting banking at a Starbucks than they are in their own living room. That threat picture looks like DNS profiling, MAC address harvesting, maybe browser user agent fingerprinting, or DHCP device fingerprinting. Just run-of-the-mill data harvesting, and usually only for market research. Most apps rely on TLS or SSL which is generally secure, but leak info at the lower level utility protocols like DNS and DHCP. If you didn’t disable DNS over HTTPS (DoH) on your device and otherwise follow reasonable online hygiene, your data and gour identity is likely secure¹.

Now: be a journalist, activist, organizer, politician even of local school board stature, dissident, expat or artist/performer of any notoriety, and congratulations! You have a complicated threat picture! Proceed to Go, retain a trustworthy IT firm, and work with them to furnish and maintain a private OpenVPN or Wireguard service on your behalf at a public VPS, also being sure to do your diligence and ask for a copy of their certificate of insurance from their cyber insurance underwriters.

Anyway, unless a person has a technical reason to access private resources, or has a more-than-mundane threat picture in their life, a VPN is just a waste of overhead.

– ¹ Not you, T-Mobile user.