My threat model is generally removing as much passive data gathering and tracking as possible, corporate or state. My threat model does not include active investigation from the law enforcement or state

Honestly just route your tcp traffic through Tor, even if you’re being snooped on by guard and exit nodes owned by the state when using clearnet sites, no advertiser is going to know who you are, and state owned exit nodes aren’t going to investigate you for visiting random common clearnet sites (note even if you’re deanonymized you’re still protected by tls). No reason to pay for a VPN for this, and the more Tor users the safer Tor gets against certain types of attacks.

It’s worth noting neither a VPN nor Tor will protect you from advertisers fingerprinting you due to poor opsec; and that is very difficult to get around if you’re doing something like using popular social media platforms with an account.

Imo the most important thing is the separation of what you do. If you’re logged in on facebook, you can do that from your public ip. Anything you’re not associated with your name you want to use a diffferent browser identity and maybe a different ip.

If you use Torrents or do anything illegal or whistleblowing or similar stuff, use a live linux iso with no persistence and a vpn bought with monero.

I think your in a situation that a lot of users fall into, where your making your life harder without any benefit to your threat model.

You really have no reason to switch from Proton to Mullvad based on your threat model.

I’ve been doing this for a while now with opnsense being what masks the whole network behind the mullvad VPN.

Pros:

• Even fresh new devices that have all that crap junkware installed get routed through the VPN, meaning no tracking to you immediately (unless they sniff the rest of the network and relay your network AP I guess)
• one device instead of many, leaving extra devices available to use for a single mullvad account (limited to 5 devices, at least for wireguard)
• if using wireguard, you honestly won’t be hit with network performance issues. Just don’t choose a server across the world from you. I chose one in the same country as myself and get an average 95-97% of my internet speed, and that’s because I also have IDS/IPS enabled

Cons:

• as others mentioned, increase captcha annoyances
• some banks may lock your account if you try to log in with the VPN
• if the VPN server goes down, the whole network will. This may be a good thing since your don’t want traffic to leak, but just pointing out you now have another single point of failure outside your ISP
• when someone’s hoarding the entire VPN server you’re connected to, you’ll probably witness a slowdown

That all being said, if you’re not very technically savvy on the networking side or haven’t ever setup a custom router/firewall, this will be a pain. But it you want to learn something new and are up for the challenge, eventually it gets down to almost never having to worry about it. I’ve been doing it for a long time now, so for me personally, I’ve gotten to the point of only needing to login to the firewall for a VPN setting update or server change maybe once a month