Your reasoning assumes that a VPN couldn't hurt, but it can. If someone wants to track you and you don't have a VPN, they need to compromise your ISP. If you do have a VPN, they need to compromise your ISP or your VPN.
Part of the point of a third-party VPN is that the ISP/router can't tell what you're doing -- you assume that they're untrustworthy. Compromising the ISP would be useless, unless your VPN is for some reason sharing the same info with your router, in which case... install a competent VPN client.
I don't see how you're adding an additional failure point, you're just moving the same failure point somewhere else.
Yes, once the VPN endpoint makes the request, an ISP can still intercept it. But this is one of the few cases where adding an additional network hop very likely does not matter at all for your privacy. Once your request is going over the open Internet there are already so many opportunities for people to spy on it. The benefit is in disassociating that request from you, not in hiding it once it goes public.
The confidentiality protection is not really absolute - the encrypted VPN traffic is susceptible to traffic analysis[1]. For example, your traffic pattern fingerprint could be correlated and matched to your online identity if your ISP and an ad network or another globally positioned middleman actor colluded on it.
Why do you think it would be unworkable for a corrupt ad network in cahoots with your corrupt ISP to correlate your web requests based on time, length and previously seen traffic from the VPN IP?
I agree that the business case is not that obvious but converting a "can't be done" argument to a "not interesting enough" is already pretty significant. The amortized cost per user would be very low after all, assuming this was used for automated mass surveillance.
No, they need to compromise your ISP and your VPN -- that's the whole value. With a VPN, your ISP doesn't see your traffic anymore, they just see you connecting to your VPN provider. Meanwhile your VPN provider can see the site you're connecting to, but they can't tell who you are, just "someone is ISP X's IP range".
> they need to compromise your ISP or your VPN
Part of the point of a third-party VPN is that the ISP/router can't tell what you're doing -- you assume that they're untrustworthy. Compromising the ISP would be useless, unless your VPN is for some reason sharing the same info with your router, in which case... install a competent VPN client.
I don't see how you're adding an additional failure point, you're just moving the same failure point somewhere else.
Yes, once the VPN endpoint makes the request, an ISP can still intercept it. But this is one of the few cases where adding an additional network hop very likely does not matter at all for your privacy. Once your request is going over the open Internet there are already so many opportunities for people to spy on it. The benefit is in disassociating that request from you, not in hiding it once it goes public.