I'm not casting any aspersions but if I were running the FBI/CIA/MI6/five eyes/whatever, I'd set up a VPN service and it would look exactly like NordVPN. I mean exactly. Operates from (and trades on the name of) a strongly independent country/region. Somewhere that would be considered trustworthy to the targets of interest to me. Nobody who works there would have any idea about the intelligence operation, except for a small ops team who "develops the platform". And I'd absolutely pump the marketing budget with unlimited cash to ensure they can promote their services on every English language YouTube channel.
NordVPN are probably fine. But if I were actually keen to avoid government monitoring, I'd probably look for a VPN service that doesn't put much effort into marketing to an English speaking audience. And I'd combine that with at least one more layer of indirection.
You can’t prove otherwise unfortunately, you have to trust the provider.. trusting only.
I would personally stay away from proton for anything, vpn or email, I’ve been following their news since started and a lot of sketchy things about them, you can read about some of it here (1), the CEO of protonvpn and Tesonet (data mining company) is the same person, they used to have a lot of vulnerabilities and bad patching system (2)(3). There are other stuff about it can’t find the reference for right now (hmmm?), but I can dig deep later if needed.
Mullvad has been better so far, I personally use / used it, last two years been really bad with their network, and recently they stopped port forwarding (4), but again, you have to trust them.
The second and third articles are over 5 years old, that attack also requires a device to already be compromised. Proton VPN undergoes annual security audits and is also open-source, so anything "sketchy" (like if the app were actually data mining) could be quite easily and quickly discovered.
Is Freemium VPN a thing? If these are the options it seems like this could be the middleware gap the industry is begging for because both of these options as is suck.
You are still connecting to the VPS from your regular IP addresses. Trust in the provider is still required. And they have downsides for common uses like lack of being able to switch servers to get a new identity or change location, and for bittorrent piracy specifically, many probably are not designed to handle getting DMCA notices.
All paid VPNs == honeypots