VPNs - how more secure?

My personal view is that pretty much all your 'data' is stored and retrievable by whoever really really wants it.

The main thing is that in reality no one really really wants your data because you are no one.

No-One's have a lot of interesting data. The main difference between No-One's data and banks data is that, if you still No-One's data, you won't fo to jail until you do something very stupid.

VPNs are secure. The most relevant treat against VPNs is social engineering. Collect private information, call a customer, convince him to collaborate because you're just a technician doing his job, get the info needed to access a system. In this case, the instructions to setup and configure the VPN.

Stealing hard disks or laptops is possible, yes. The easiest solution is to hope that this won't happen, but a more interesting one is to encrypt disks (if it is worth the effort).

WTF is any of that supposed to mean??

The provider can set up packet capturing at their VPN endpoint to monitor your traffic in the clear. You have to trust your VPN provider (or at least, trust them more than the random WiFi hotspots). Roll your own is certainly an option, but it's a public internet facing server that can be attacked and pwned (a VPN provider is more likely to have the resources to monitor and protect their network against this risk than you are - and if you run a server you need to patch it etc).

What exactly do you mean by 'enough'?

TLS over HTTPS (which is typically used between your PC and a secure website), is generally sufficient for protecting the detailed session content between you and the website you're connected to as anyone in the middle (e.g. coffee shop customers, ISPs, etc) will be dealing with encrypted traffic (which is widely considered too time consuming to decrypt and contains countermeasures to prevent replaying previous traffic etc). The vulnerable period is during the initial set up of the encryption between your PC and the remote server (which is why public and private certificate pairs are used - to mitigate the risk of a third party pretending to be to be the other end). I'm happy to go into detail (or you could try a google), but in short, generally speaking (there previously have been known vulnerabilities that successfully weakened the agreed encryption standard down to one that's considered easily broken) if someone/a device has attempted to get in the middle of this initial certificate exchange or adversely affect it, your browser or application will warn you there's something wrong with the certificates. And that should be enough warning for you to NOT proceed. Sadly, there are various legitimate reasons that you can get certificate errors, so many users proceed anyway, despite the risks...

The risks are more with insecure by design DNS requests (unless you're pushing them to a VPN provider through the tunnel) - these can be used to send you towards an attacker's server instead of where you actually wanted to go, HTTP based websites (and the risk you won't realise you're actually connected by HTTP until it's too late), applications that use proprietary protocols that aren't encrypted or use a poor implementation of encryption. And of course, all of your metadata, regardless of encryption (your connection to the bank may be 'secure' but anyone in the middle can still see you connected to yourbank.com, the session lasted for X duration and Y bytes were downloaded, Z were uploaded). If your traffic is all going through the VPN tunnel, you only have to provide trust to the VPN provider and their upstream ISP (and even the risks there are mitigated somewhat as many VPN providers will have multiple subscribers sharing an IP address so it's harder to unpick who is actually behind each connection coming into and out of the VPN endpoints).

I use Mullvad at the moment.

Open VPN on an AWS Instance - Securepoint client on Windows 10 / OpenVPN client on my phone.

Not too difficult to set up and much more secure than sending your WiFi or phone traffic in the clear. -- Other benefit is you can use AWS DNS and tunneling all your traffic removes the need for multiple connections on a tulipty coffee house network. So once you are connected it runs much better.