For https, the only thing sent in plaintext (and this is only if you don't use DoH or similar), is your DNS query (google.com). The rest of the page (search.php?=goat+snuff+videos) is encrypted.
Yes. To add, any number of middle boxes during egress from the VPN provider can also sniff the SNI in TLS packet (SNI stands for Server Name Indication and stands on its own as a plain text traffic) before a TLS sessions is established (assuming DoT/DoH DNS scheme is in use)
Effort and RFCs are underway to establish what would become part of TLS protocol stack. One of which is eSNI (encrypted SNI).