That’s not exactly true. It really depends on what you’re trying to protect yourself from.

If you’re running an ARR stack, The Pirate hunters out there are going to end up empty-handed at a half decent VPN in a foreign country. But if you’re doing something that will draw the ire of the FBI, CIA or secret service, it’s a little more than a speed bump.

Many local ISPs basically hand the keys directly to law enforcement without so much as a warrant. Most of the VPN providers will at least put up a minor fight to stay in business.

I don’t know why VPN providers promote themselves as like they are going to make your connection more private, everything is already encrypted (except DNS).

It’s true that most popular web sites have moved to HTTPS, but even if all of them had, not all network traffic is web traffic. Also, even if someone uses the network only for web browsing, DNS is not the only privacy-relevant data that gets exchanged outside the HTTPS connection.

You are just shifting the trust from your ISP to the people that run the VPN.

Some people have reason to distrust their ISP more than their VPN provider, so this is a valid use case.

VPN isn’t really comparable to HTTPS. The former protects all traffic, and with a relatively small attack surface, but only up to the VPN edge. The latter protects all the way to the network peer (the web server), but only web traffic, and with a massive attack surface: scores of certificate authorities in countries all over the world, any of which could be compromised to nullify the protection. They address different problems.