So I’ll try to answer a few of these questions on mobile 
Keep in mind that there is much of my own personal opinion mixed in here, but that’s opinion that’s born of years as a network admin, and more recently as an information security guy. My opinions are neither poorly thought out, nor infallible.
TLS (https://) is as secure as is reasonably necessary for pretty much everyone. IF you don’t click through warnings of unsafe sites then you’re more or less safe from man-in-the-middle problems, even during the initial connection.
If a site or service does not offer TLS/SSL protection, then (in my opinion) you should not access it over the Internet, VPN or not. It’s not a trustworthy service that’s being professionally run up to what are now very, very basic security standards.
About corporate VPNs: This is a very interesting topic. For the most part, they are not really necessary anymore (we’re strongly pushing people away from using ours, in favour of virtual desktops, which work well for nearly all remote access needs).
There are some use cases where (remote client rather than point to point) VPNs are still desirable, but those mostly revolve around legacy applications that cannot easily be protected via TLS, situations in which given network address ranges must be used, or when network admission control is required.
Another difference between a corporate VPN and an VPN service for individuals is that a corporate VPN protects your network traffic for the whole of its journey, whereas a VPN service like the ones that are fashionable these days only protect your traffic between your computer and their service gateway.
Also, cellular network connections are no substitute for a secure network connection.
I don’t know if that answers any of your questions, but I hope that it sheds a little light. I’m happy to expound at length on the topic, but I’m a little fearful of coming across as that crazy guy over there 