To be honest all a VPN does is add another layer of protection. It's not that secure because they can be subpoenaed or NSL'ed into giving data over, which is why a VPN's log policy is important to pay attention to. So in reality, you are mostly just trying to not reveal traffic to your ISP which the various LEA's can get access to far too easily (read: without a warrant).
For those really serious about privacy that's why I think actually owning a colo space where you own and control the hardware can be a preferable solution. For those who don't like that try setting up your own VPN on a VPS, etc.
One of the key things most people miss is DNS. I personally also suggest running your own DNS server, even if just a local dnsmasq that's outgoing to opendns or internic or something.
One more thing most people don't think about is attackers pivoting from other compromised devices on the internal network. If you think that Amazon/Apple/Microsoft etc device isn't sending checks out on the local network and then reporting back stuff like internal IP topology and MAC addresses you got another thing comin. Check your iptables or nftables (bpf?) and block internal hosts you know don't need access.
I'm in UK where the law requires all ISPs to store everyone's browsing history for a year - I browse the web exclusively over VPN and yes, I trust my VPN provider 100x more than I trust the British Government.
Your ISP is a near-monopoly with vast wealth and political connections, and no trust to lose. A VPN is used by a much smaller group of people who will ditch them en masse if any hanky panky comes to light. There is a ton of competition in the VPN space, and they’re mostly selling the same product, so if they lose trust, they’re done.
