I’m surprised someone as technical as yourself says this.
Cast your mind back to PGP. Pretty Good Privacy. Uncle Sam didn’t like it as the bad people could not be checked.
Man-in-the-middle attacks are where someone in middle decrypts using the shared public key and recrypts using their private key, hence the notion of public/private key. SSL is core to this. If it is SSL then the network path cannot see your data.
Non-SSL, your point is valid.
You are being tracked if you do not use VPN, all the VPN does is change who where is doing the tracking.
I’d be wary of free adblock VPN solutions (how are they funded, hint, hint).