I’ve never completely understood this, but I think the answer would probably be “no,” although I’m not sure. Usually when I leave the house I turn off wifi and just use mobile data (this is a habit from my pre-VPN days), although I guess I should probably just keep it on since using strange Wi-Fi with a VPN is ok (unless someone at Starbucks is using the evil twin router trick . . . ?). I was generally under the impression that mobile data is harder to interfere with than Wi-Fi, but I could well be wrong and my notions out of date. So, if need be, please set me straight. 🙂
The provider and national TLAs will see all traffic that is in cleartext and meta traffic which is even more valuable. It can also actively tamper with that traffic. So you’re technically incorrect and you assume your threat model is universal. It’s not. And, of course, there are use cases for Tor, whether with or without VPN.
While my threat model is not universal, it comes close, at least for the average user which OP seems to be from their question. In practice, there is very little unencrypted traffic these days and in the case of that traffic you will have to ask yourself if your (commercial) VPN provider is more trustworthy than your ISP.
If you need to ask if you need a VPN there’s a 99% chance that you don’t. There are certainly a few use cases for both commercial VPNs and TOR (see my other comment) but to even be aware that those apply to you, you probably already have enough technical knowledge to approach the question from the direction “I want to do XYZ, how can I be more secure?” and not “I’ve heard of VPNs, do I need one?”
My national government has no business knowing which protocols I use to contact which endpoints and tamper with that traffic. Wrapping up that information in a tunnel is a good first protection layer.
If you’re using a commercial VPN from a provider who can legally operate in your country, your national government can just as easily get that information from them as from your ISP.
Correct. But that’s no reason to make it easy for them. Burglars can break my windows and climb through and steal my stuff. I’m still going to lock my doors
While ISPs are in many jurisdictions obligated to log your connections (data retentions laws), VPN providers are not.
How would a national government (not TLAs) target particular individuals in a large number of users and what information can they gather given e.g. https://mullvad.net/en/help/no-logging-data-policy ? So perhaps not quite as easily as ordering a tap.
Even though most data traffic is encrypted who you’re talking to is not encrypted.
So a third party can observe, who you’re talking to, how much data you’re sending to them, how frequently you talk to them…
The classic example is if you start visiting a suicide prevention website, even though they don’t know the content that you’re being served, they can guess oh you’re having mental issues. We should revoke your security clearance… Etc
It’s not just all about encrypting traffic. Many people connect to the internet over a static IP most of the time from their home network. A VPN provides protection against tracking in this case.