But outside of DNS (and agree that’s a big outside), aren’t pretty much all major protocols already encrypted these days? SMB2 was the last big one I could think to but SMB3 has (optional) encryption.
Apart from DNS, the destination address on each packet leaks a lot of information about which online properties you are accessing. A determined attacker may even be able to figure out exactly which webpage you are on, based on the size of the packets and the order in which you connect to various addresses. Using a good VPN helps obfuscate a lot of that metadata.
Whether you can actually trust an HTTPS site or an IMAP connection when you're in a hotel in China is another problem that a VPN can solve. The CA infrastructure is ridiculously fragile, especially now that HPKP is dead in the water.
You should encrypt DNS. DPRIVE standardised DNS over HTTPS or if wrapping yet more things inside HTTP makes you want to vomit DNS over TLS directly. You can use it today.
Whether you can actually trust an HTTPS site or an IMAP connection when you're in a hotel in China is another problem that a VPN can solve. The CA infrastructure is ridiculously fragile, especially now that HPKP is dead in the water.