Security and privacy are ultimately a balance of resources between a defender and an attacker.
An attacker only needs to keep adding resources to their attack until the security and privacy of the defender is overcome. You also see the reverse in society where sufficiently powerful people are able to shield bad actors from justice and the law of the land.
The best that a private individual can hope for in terms of their security and privacy is to impose a sufficiently high cost on the attacker and bad actor that the private individual is not worth pursuing in comparison to similar targets.
What the technical solutions are to implement those cost impediments on the attacker is a matter of personal judgement and it's perfectly valid to eschew VPNs and attempt to be a needle in a haystack.