I assume this is definitely the case for free VPNs, if any of those still exist. There might be some willing to donate bandwidth and compute resources for the good of others, but I’m sure there’s more that pretend to do that but actually just sell the data or maybe just spy.
Tbh I wouldn’t be surprised if this is also the case for TOR nodes. I wonder how many entry and exit points are run by the NSA or some other government entity. Or are just monitored. If you can monitor the entry and exit points, you can determine both the source and destination, and just match them together using the middle node address.
Same thing with proxies.
Paid VPNs could go either way. On the one hand, they could make more money if they are willing to sell out their users’ privacy. On the other hand, that risks the entire thing falling apart if word gets out that it’s not private, since that’s the whole point of VPNs. I’m sure there’s some good ones out there but I’m also sure that there’s bad ones and wouldn’t be surprised if some of the ones considered good are actually bad.
Maybe ones that run in Europe would be safer bets. Their business is at least able to run there with the privacy laws. Maybe they are skirting them and haven’t been caught yet, maybe their data sales from other regions are profitable enough to support European operations without data sales, but if they are going for max greed and min risk, maybe they wouldn’t operate there. Or maybe they just run things differently in the different regions to maximize global profits.