there's a lot you're right about, as well as some info you're missing.
- your data has, for the most part, been sent and receieved using a secure tunnel (HTTPS) since 2016-2018.
So yes, while you're connecting to a network, which has an encrypted tunnel, your data isn't then just unencrypted the rest of the way any more. Not unless you're specifically using unsecure HTTP.
- using a VPN is still useful for shared and public networks, as while ARP spoofing and man-in-the-middle attacks are rarer now, a person with enough knowledge could still technically view certain content you might not want them snooping on. It also helps against snoopy governments and ISPs, and helps you get around blocks, both locally and nationally.
- people on the network can see what sites you're connecting to, and they could see the contents of websites with no security tunnel, where the browser now tells you it's unsecure, but that's all, unless they're specifically very knowledgable about compsec. most skiddie attacks won't work anymore, and a VPN company actually had their ad banned by a UK regulator because of the misleading claims.
-some networks and ISPs prioritise certain types of traffic over others, and a VPN means that they can't do that to you.
-metadata gives away a fair amount of information and wanting to keep that private isn't necessarily a bad thing.
there's probably a lot more i could go into detail on if you're interested. because i think it's important that we don't let ads mislead us, and big companies make misleading ads all the time. VPNs are something i love talking about, so please respond if you want to know more, or want to point out something i said. i welcome feedback and discussion.