Without derailing this discussion too much, I wanted to include some concerning issues with certain VPNs.
One case is Crossrider / Kape Technologies, a former malware distributor, buying a number of VPN companies (CyberGhost, ExpressVPN, PIA aka. Private Internet Access, Zenmate) along with VPN review sites which were then altered to favor their products followed by “restructuring” of personnel at the VPN providers. Also note that Kape Tech. includes Intego (Antivirus) and Webselenese (owner of numerous privacy/security review sites) among its brands.
Another example is the malicious VPN extensions found spying on Chrome users. Among these are FVP, Red Panda, Sweet VPN, Thunder, etc.
Below is certainly not an exhaustive list, but a sampling of what has been found or researched so far.
Kape:
Chrome VPN extensions: