Well you're anon from actors looking to track you outside of the VPN provider. The VPN provider also informs you that you can change your OS identifier.
Not really. The traffic in transit is the least interesting traffic because it's mostly encrypted. This traffic could be intercepted at the next hop past the VPN provider anyway if someone was sufficiently invested in finding out what you were doing.
All a VPN does is change the egress point of the traffic from your ISP assigned IPv4 or IPv6 address. This is good for spoofing your location and ISP, that's about it, but then you are trusting the VPN provider not to undertake logging, ad injection and monetize your DNS queries and browsing habits (even "anonymously" lol) which was the point being made about Kape.
- Are you trusting the VPN provider with your DNS queries or is your computer making those to yet another 3rd party?
- Are you ensuring you don't login to any sites that you have accounts on that could contain PI? Sites that could potentially participate in cross-tracking?
- Are you ensuring you aren't logged into your browser, which will also collect PI, habits and history?
- Are you ensuring you aren't using e-mail or any other service that has any personal connection to you?
We personalize our devices and typically do online banking, access our e-mail (gmail, yahoo, hotmail/outlook...etc) so already the client ID in the form of the IP address and the client identifier (hostname assigned) are being collected at the remote endpoint and associated with your identity. Whether that's AT&T or ExpressVPN is really inconsequential at that point.
If I was doing a pentest from a burner or a liveDVD (just for the sake of an example) so the hardware itself is totally blank slate and was trying to spoof a COO to maybe check if geoblocking was working or not, then a VPN of this type can be useful. However, that's not the usage profile of Joe Average home user.