Define a Threat Model
As a reference, Tor Browser's design document describes which threats/attacks are considered in-scope. A VPN (or VPN-like service) has different strengths and weaknesses, therefore we must define those and evaluate reasonable expectations.
Some initial questions:
- When are the VPN's protections applicable?
- What are reasonable expectaions when the service is disabled?
- What are reasonable expectations when the service is enabled?
- Which use cases can we reasonably support? (e.g., under which circumstances can we fail-closed: device is rebooted or app crashes?)
- What properties does an application's connection gain/have when routed through this service?