OVPN successfully evaded Hollywood(through pressure on Swedish institutions) 5 years ago when they were up ThePirateBays ass again.
You still have to trust them, you're not wrong but at some point I'll fall back to the common question security people(not me) tell paranoid doubters: Whats your threat model?
If you're running a global child-abusing ring through Mullvad or OVPN(offers static IPv4 for inbound traffic) I don't know what they'd do but they've proved themselves over and over to be organisations you can trust.
OVPN turns around about 1.2M$ with 0.8M$ profit (0), Mullvad turns around significantly more money but with less profit margin (1) (probably funneling profits to a tax haven) so the risk of someone buying out OVPN is there, but "you" are probably not worth it if the ones targeting TPB didn't figure out how to get through.
You can still run TOR over their VPNs as another layer if you're uncertain their reputation is trustworthy enough for your usecase but don't want TOR traffic originating from your IP.
I have the feeling most replies are US centric, assuming sticking with your carrier forever and travelling abroad max once a year.
If you are based in Europe but not the EU, thus not covered by the common telecommunication roaming laws, the 'couple of seconds of swapping tiny SIM cards' become a complete nuisance.
Locally I already use two carriers, one prepaid with my phone nr that is barely used and a data only (unlimited) plan for <100USD/yr. Crossing the border always require me to juggle three SIMs and not to lose any of them in the process. Just last week I missed my tram at the airport because this process.
I also already experienced two SIMs with technical issues needing replacement... this is a technology that should have been abolished / disincentivised by law years ago.
I understand your criticism concerning eSIM UX, these issues are however not due to the underlying technology but purely corporate choices.
The future is obviously getting rid of completely unnecessary SIM slots and the faster we iron out the toothing issues the better.
One of my major buying criteria for my next phone is eSIM support, currently ruling out XIAOMI.
A 'normal internet user' has an email address, the format of which is probably specified in some decades old RFC.
Nothing else but the format should be checked and ANY kind of error should be properly communicated.
I had two situations recently that cost me a substantial amount of time and effort, due to f**ed up email handling and non-communication to the user.
Once I tried to sign up to Pinterest with my personal catch-all domain using the emai pinterest@mydomain.tld. Only received random errors no matter what browser and IP I tried, had to contact 'support' (three levels of bots) to eventually find out that 'pinterest' is a reserved word because of which they would not accept my email.
Second situation in a hotel trying to connect to WiFi via a captive portal. Using email hotel@mydomain.tld (which I used to check in and was thus required to use in the portal) the page just refreshed again and again without throwing a user facing error. After significant back and forth at the reception I was educated that I was only allowed to use private / personal emails (meaning GMail). My own domain wasn't personal enough...
Both situations could have been rectified easily if proper errors would have been communicated.
In Europe just using debit cards is perfectly viable in 99% of the cases, however when it comes to car rentals you are still in some locations forced to provide a 'real' credit card.
I write 'real' since most of the FinTechs like Revolut, N26 etc often issue debit cards that may fail in exactly that situation. It doesn't help if your account is flush with 10k USD and a car rental could easily block 2k for claims on your debit card, some will just not accept Revolut & co. Thus I am always forced to carry an emergency backup credit card from a major bank just to be on the safe side...
Very much looking forward to the day some other means of international payment (crypto?) will be generally accepted.
I am so fortunate to live a in a truly free country that has not yet caved in to most of the western crap despite being a western first world country. Spain.
Here the rental companies accept even cash, and the person who pays doesn't even need to be the same as the one who rents.
They require a credit card because credit card companies have robust ID and credit checking. If their ID checks weren't great, someone could steal the whole credit limit.
Banks and debit providers also do ID checks, as required by law, but don't check anywhere near as hard, since there is no way to steal money from the bank if your account can't go negative.
Servers that don't log and can't without hard drives, ports physically glued shut.
https://www.ovpn.com/en/security