Security researcher Kenn White added that “for the vast majority of consumers, commercial VPN services add very little value and frankly most incur more security risk for the user.”
One risk is some VPN providers use self-signed root CAs, which allow the creator to read encrypted traffic coming from a computer.
White said this is done in the pursuit of malware prevention, but that “is just a different way of saying ‘intercepting your (otherwise) encrypted web and mail traffic.'”
Some VPNs may collect more information than users anticipate, and in some cases expose that data too.
The advice you get from Youtube influencers, which are paid to sell you a VPN, is terrible. There are very few use cases for those VPNs. It’s mostly for pretending to be somewhere else, to circumvent geo fencing.