A VPN is non-trivial to set up correctly. Have you set up an internal DNS to prevent leaking the domains from requests? How about IPv6 leaks? There are many things to consider, and I wouldn't trust a random programmer to do it correctly.
It mostly depends on if you're a target. I must have missed when Slack was compromised, but I'm willing to take the risk of Slack being hacked, as I'm not a target. Im a fan of the methodology that bigger company = more secure, although that's obviously not always the case.
That said, you bypass a ton of those foot-guns if you just stick everything behind a corporate VPN with 2FA and the appropriate security. As long as the VPN is secure, everything behind it is secure.
> and what about if your network is compromised? For most small-medium businesses, that's more likely than Slack being compromised.
If your network and/or workstations are compromised, it is _over anyway_ because they have all your data. This is one of those situations where you are saying "What if they decapitated me? Slack might still be secure."
I mean, technically, you are correct but it isn't relevant because you are dead.
If you think such a business can survive a pentest from an employee workstation...XD