Nothing. A VPN absorbs all of your traffic and shifts it from your ISP knowing everything to the VPN provider knowing everything. And you're paying them for it just so they can re-sell it. There's no better honeypot than some data mining company posing as a VPN provider to steal all of your data.
If you want it to secure you on public unsecured wi-fi, then basically any of them will do that. The VPN that came with my paid for security software is fine for that sort of thing. With that said, the completely free ones will resell your "data". They should not have access to your passwords, healthcare records, or actual banking balances as that data should be secured / encrypted between the provider's server and the app / browser. That assumes the bank / healthcare place is doing their tech job right. There are significant penalties for not doing that job right. Those include penalties by HIPPA, and a number of banking regs, and possibly worst is reputational risk. The VPNs will know what banks and healthcare providers you use, but they should not be able to see the traffic once it is encrypted between your computer / phone and the provider's server. Can a good hacker overcome that security? Sure, but time from people with those talents costs more money than they would make on the data.
Mullvad is fine. If it's an issue of being away from home, and you only trust your home internet, you can roll your own vpn that will let your phone/laptop securely connect to your home internet. No one is stealing your data "in transit". They're poking around file servers looking for one that still has the basic admin acount activated with the default password of 'password' or '1234' still set. Then they sit on it until they think there's enough data and run off into the night.
I've had good success with ExpressVPN. There is a performance hit using a VPN, but they seem to perform well. Customer service is good. They are also one of the better ones at providing good points of presence in foreign countries. Useful for any overseas motorsports fans.
I should have added that I have used NordVPN in the past. They seem to be pretty good, but since my security software now includes a basic VPN, I don't spend the extra for a standalone. Nord would let me select the country and server. The one I use now, doesn't. It just connects to the server it thinks is best. This may be less useful if you are trying to hide what country or state you are residing in for whatever reason.
Use Nord here…tried a few others but Nord has been one that seems to work for my needs…stay away from anything that is “free” for obvious reasons… As has been mentioned, privacy no longer exists…free email took care of that…sister shifted to Proton, claiming it gives her more privacy but I don’t know anything about the service.
My girl has spent time in 6 countries since 2022 and Nord has become the best for that kind of mobility. I use it at home because our tier it supports multiple devices in multiple locations. Great support and performance.
If your favorite YouTuber is advertising it, avoid it. I work in a field that is cyber security adjacent, nearly everyone on my direct team, as well as the corp sec folks at my company adamantly use ProtonVPN, as do I. Most VPN services like Nord or Express are subject to federal jurisdiction and have had some serious issues with timely security disclosures that have proven them untenable time and time and again. Hell, even just this past week ExpressVPN disclosed it was leaking DNS records for years, which is like, the whole fucking point of their service to prevent. Services like Mullvad and Proton regularly reply with the legal equivalent of a middle finger to data requests. ArsTechnica has a good article with the frequent Q&A that touches on VPN services. If there are any road racers who also work in a cyber field, here is the relevant xkcd.
Senior IT Eng, for an ISP. Working on your own data hygiene will do WAY more for you than slapping a wrapper on your packets so they piss out of an unknown point somewhere else in the world. 'VPNs' as sold are not VPNs proper, they're just changing your onramp. Your data is still just as exposed and traveling on hardware / networks controlled by others, just now it's a different set of others, maybe. They do nothing for actual security. Also, as an ISP I've got zero interest in your data, the less I have to know the better, it means the less I have to store, back up, audit, have a DR plan for, have policies for deletion, etc. Not all ISPs are the same, but it's SOOOOO easy to not give me the opportunity to easily harvest info without snake oil VPNing.