The question to what is the cloud provider doing? They are certainly doing monitoring, but are they tracking?
Using a personal VPN for privacy or geo-relocation can work well. I’ve used one to have a “virtual presence” on client networks, which was the original point of VPNs.
That is a fair assessment. There are a few likely failure modes. If you scratch around online, you can find examples.
The most common is the VPN service has a server (or multiple servers) get compromised. Users who hit a compromised server then have their data stolen by the third party. Unfortunately, we’ve got examples of the VPN providers finding out about these issues, and not responsibly disclosing them.
Another issue is a rogue employee of the VPN starts collecting data, either on their own initiative or due to outside pressure. Similarly, a “secret warrant” can be used to compromise a server targeting a specific user (or not so specific…).
There’s also the risk of the VPN provider holding onto too much data for internal analytics. They must monitor their network to determine when they need to add capacity, identify DDOS attacks, and similar administrative purposes. If they collect too much data, or don’t properly anonymize the data the collect, then that data can get compromised in a variety of ways.
Finally, many VPNs are owned and operated by parent companies. While the VPN provider itself is not in the business of selling data, they may well have sibling companies that are. It’s likely that whatever (anonymized?) data they collect gets given to these sibling companies for marketing purposes.