Threat model
A VPN encrypts traffic between your device and the VPN provider's network. It does not turn a compromised laptop into a safe laptop, and it does not stop you from typing your password into a fake login form.
Protection scope
In scope
Local network attackers on untrusted Wi‑Fi sniffing plaintext or performing DNS spoofing.
ISP visibility into destination domains and timing metadata for tunneled traffic.
Casual IP-based geolocation for services that see the VPN exit address.
Out of scope
Endpoint compromise
Malware with root access can read keystrokes and screen contents before traffic ever reaches the VPN.
Token phishing
Training and password managers matter as much as tunnel encryption.
Legal compulsion
Providers respond to lawful requests within their jurisdiction. Read transparency reporting for historical examples.