The ease with which you can pay anonymously makes me feel that its more likely a genuine privacy provider rather than a CIA run honeypot like Crypto AG.
Bitcoin is not private but many people don't know this, and they refuse to accept Monero, so I follow the same logic but come to the opposite conclusion.
If mullvad gets compromised, you can still remain anonymous if the payment method is anonymous as long as the traffic you've sent to mullvad been anonymous as well. Obviously, if you log into your normal Facebook account, it isn't, but there are plenty of other uses.
If mullvad is compromised, then all my traffic is also compromised and potentially my client machine is also compromised (since I'm running mullvad client). Alternately, to begin with, if my traffic wasn't sensitive or personally identifiable, then I don't actually need this multi-hop setup.
No idea how mullvad setup is done, but in theory I think you could use Tor -> mullvad wireguard configured VPN -> target site.
That way your traffic would be "legitimized" (no infernal Captcha loops), and if the sites you visit have certificate pinning mullvad network compromise wouldn't matter.
A bunch of ifs, but that's the state of things.
edit: written before thinking out all the details, probably can't tunnel udp connections over Tor.
Yes, if mullvad + your machine is compromised, then indeed there is not much you can do. But first, not everyone uses mullvads client, but instead the provided configuration files for wireguard/openvpn. Secondly, not all traffic is indeed personally identifiable, especially if you're using something like mullvad with for anonymous traffic to begin with. Imagine you have another account than vinay_ys that you only use via mullvad (and potentially other accounts). Using something like cash (or bitcoin for that matter) as a payment method makes it less likely the real person you will be connected to this other account.
Security and privacy is not a true/false thing, it's a thing you do at layers. Making payments anonymously is obviously adding another layer. Maybe it's not worth it for you, but for some it is.
With a Wireguard VPN to reach Internet, all traffic from this machine meant for Internet is going via the tunnel, including the OS generated background traffic, and application generated background traffic (like update servers, analytics beacons/telemetry, license verification servers etc). These can contain tracking identifiers that can be tied back to app purchases, and even laptop purchase itself.
If you really have only limited sensitive traffic (even with fake identity), you are better off using just tor browser than using a full machine vpn.
Yes, indeed, if there is identifiable traffic coming from the OS, you're screwed. This is why I said "not all traffic is indeed personally identifiable". If you are doing things where you have to be anonymous, there are plenty of OSes you can run to not have all those things giving away your identity. If you think just adding a VPN on top of the OS you use for other things, you're screwed.
I think you're missing the point here. Even if you use Tor browser or a completely new OS installation of Tails or whatever, if your payment method can be tied to you, you're once again screwed. Being able to anonymously pay, removes that vector, it's as simple as that.