You're just paying some extra third-party that handles all your traffic now. What's to prevent them from doing the same? You're moving trust to another actor.
You should not trust anyone handling your traffic, that's why things like HTTPS and SSH exist.
The problem here is not that the ISP can not be trusted, you should never trust them anyway. The problem is that the ISP is using their router to force their way into what is supposed to be the trusted part of your network, your LAN.
This is exactly why I don't use the ISP provided router, and every piece of equipment of theirs I have to use (mainly the IPTV box) is in a separate, untrusted, VLAN.
Personally I very much agree that using a vpn service for all your traffic is probably not a good idea. As well as other objections, some have been confirmed to sell fine grain traffic information, and may have an easier time justifying that as it is arguably anonymised.
That said, if you set up your own vpn on a digital ocean node, moving your network boundary to the datacentre, then the cloud hosting companies network that you end up trusting is less likely to be set up to spy on you then a consumer isp.
I get bad speed though when I do this. The processibg speed required to encrypt a connection at 300mbps just isn't there in my router.
That's probably the issue. A general purpose machine (with AES-NI), slap OpenBSD on it, disable DHCP server on your ISP router, let OpenBSD handle that... and done! (not for the faint of heart though)
You might even add a NIC to it, and act as another physical hop for firewalling, etc.
I've had good luck with pfSense as a VPN client. Either as VMs, or on dedicated hardware with a decent CPU. If you're wanting more than 100 mbps, however, you probably also want a cryptoprocessor chip.
Sure I am, but they're a VPN service with a long history of protecting users from snooping. And they don't do business from the jurisdiction that I'm subject to. So targeted surveillance would be harder. Not impossible, of course, by major national intelligence organizations. But hey.
Also, I dont rely on just the one VPN service. I use nested chains of VPNs, and so distribute trust among multiple providers. Doing business from different jurisdictions. Just as Tor does with three-relay circuits. Sometimes I use private VPNs running on anonymously leased VPS.
Finally, each of my personas uses a different nested VPN chain, or Tor (Whonix) through other nested VPN chains. So linking my various personas would be nontrivial.
It's easy to move your VPN to an arbitrary VPS anywhere in the world, but there's only a handful of residential ISPs available in any given area, and they are almost univerally scummy.
Source? I do not think most of the ISPs in my area are particularly scummy. They provide reliable plain internet service with no data caps (and also TV/phone service if you so desire) for a reasonable monthly fee, and in my experience, most of them hire enough customer service workers on their support phone. All of them also resisted internet filtering until the legal system forced them to do so. What more is there to ask of an ISP?
In my area none of them provide reliable internet service, most of them enforce some censorship and have poor customer service, and all of them perform the legally-mandated surveillance.
Having the wire, especially if it's fibre, between your home and ISP encrypted is probably of extremely limited value. Your ISP has access to the (unencrypted) endpoint anyway, and any adversary with the resources to actually tap your fibre probably have higher value and more easily accessible means of spying on you anyway.
The problem here is not that the ISP can not be trusted, you should never trust them anyway. The problem is that the ISP is using their router to force their way into what is supposed to be the trusted part of your network, your LAN.
This is exactly why I don't use the ISP provided router, and every piece of equipment of theirs I have to use (mainly the IPTV box) is in a separate, untrusted, VLAN.