The entire Internet is based on routers aka middlemen. Even your VPN provider is a middleman.
If I had to choose, I'd trust a known compromised access point that doesn't know my identity over Yet Another VPN provider to whom I paid money and gave valid billing details.
Both are shady, at least the first only gets small bits of traffic that happen to be unencrypted here and there and doesn't have my identity and can only snoop when I'm at the location of the AP, the other one has my valid identity and billing details, e-mail address and happens to snoop on me all the time I have the VPN on regardless of my physical location.
VPN services such as Mullvad (and I believe Nord as well) accept cash and crypto in exchange for their service. And both allow WireGuard, which is coming to the 5.6 Linux Kernel. Additionally, Mullvad has no referral model in place to attempt to track individuals via social graphs.
If I had to choose, I'd trust a known compromised access point that doesn't know my identity over Yet Another VPN provider to whom I paid money and gave valid billing details.
Both are shady, at least the first only gets small bits of traffic that happen to be unencrypted here and there and doesn't have my identity and can only snoop when I'm at the location of the AP, the other one has my valid identity and billing details, e-mail address and happens to snoop on me all the time I have the VPN on regardless of my physical location.