What's wrong about (1)? Https or not, there are still MitM attacks, and the URLs you are accessing are still trackable. As to why I'd trust my VPN more than my ISP, who's CEO has got more to lose once word gets out that his company cooperated with authorities to turn over my logs?
This is maybe a nit-pick, but https prevents tracking of URLs - they can still see what hosts you're connecting to, but they don't get the full URL string.
More or less everything your computer does online is protected through HTTPS or similar protocols, with proper certificate checking to protect against MitM attacks. By now, enough time has passed to get most incompetent vendors who had auto updaters doing insufficient checking to fix their software.
As someone else pointed out, URLs are not trackable, host names are, but the advice often comes in the form of "don't do sensitive stuff like online banking from untrusted networks". Since especially this has had HTTPS for 10+ years now, this advice is far outdated.
