Technically speaking they could target VPN users by infecting uploaded files with a simple trojan that pings home to a server, I assume you disable VPN after the download is complete.
It's been a few years since I've downloaded a torrent. Spotify and Netflix are more convenient for me. My own routine was a VM purely for running a client in a VPN-only environment, tables to drop all non-VPN traffic and file transfers using shared folders. The VM was "virgin" to prevent any identifable info leaking out. It is possible that this is slightly more hardened that a "typical" use if a VPN. I was thinking in this context when I posed the question.