The newest version of Firefox goes a long way to prevent this with Total Cookie Protection[0]. You’re basically left with fingerprinting as all cookies are site specific - even third party cookies. Combine that with with a DNS that does cname uncloaking like NextDNS and noscript and you’re about as good as you can get without extreme measures.
But the cast majority of users will not care about fingerprinting by surveillance industry but about illegally Dow loading stuff. And there, VPNs are quite comfy.
"That's about it" corresponds to large swathes of the Internet for some of us living in parts of the world with arbitrarily censored and restricted Internet access.
We've had numerous cases of ISPs spying on the domains that you are using and throttling your network usage according to that activity at least in the United States, so a VPN goes a long way towards ameliorating this particular issue.
Some of us have really crappy ISPs (that also happen to be monopolists) that do things like HTTPS MITM (when they try to force you to install their root CA certificate and HTTPS simply doesn't work unless you do it), block DNS requests unless you use their DNS servers, or store all your traffic (this is being done in Russia, but it's close enough). I very much prefer to cover the precise details of my communications from my ISP and 'outsource' that stuff to Europe.
Well, yes and no. For most people, they're over-rated. You don't even need a VPN to securely pay your credit card bill on public Wi-Fi.
However, there are two cases where they are useful:
- IP address hiding (something like iCloud Private Relay for iOS/Mac users does this at the browser level, VPN brings it to the entire system)
- Legal protections
- Location simulation
If you want to hide your IP address, this could be to stay more anonymous and less trackable, any system that relays your connection is fine.
If you want to break the law, you'll need something that has safeguards in place against that. Most VPNs do the most they can within the legal limits here.
If you want to simulate your location, you'll need a VPN with servers in those locations.
---
So really, it just depends on what "real privacy" means to you.
You forgot the most important use case, unless you're talking about Europeans and USians only. I use a VPN simply because half the internet doesn't work without it (some guy in a suit decided what you can and cannot read, and there's nothing you can do about it).
Free tiers provided by various "cloud" services work fine for this one (Oracle is the most generous among them).
> unless you're talking about Europeans and USians only
Nah. As Europeans we're getting more and more censorship. Just think that most Russian news outlets have been blocked, youtube channels and so on.
Plus until recently I couldn't read a good chunk of US news due to them refusing to adapt to GDPR.