Right, you're always trusting someone. If you don't use a VPN (or Tor or I2P) you're trusting your ISP. If you use a VPN service, you're trusting it. If you run your own VPN on a VPS or server, you're trusting the provider.
Also, you can't trust what a VPN service says about where their servers are, how they're manages, and so on.
So you need to distribute trust. [Please see my other recent comment about how to do that.]
You can also take the antagonistic approach. Use a VPN service from the North-Korean government. They will surely spy on you and try to attack your network. But they also won't share data with any form of law enforcement that could reach you.
Probably a really bad idea, but the principle is clear. If you want to minimize legislative reach, take a service from the other side of the planet. Maybe not Australia.
And using nested VPN chains, you can pick appropriately.
For the first (entry) VPN, I use one that's innocuous and popular for streaming etc. For the middle ones, I pick ones that are either apparently honest or do business from jurisdictions that won't likely cooperate with my country's. And for the last (exit) VPN, I pick another that's innocuous, with IPs that don't often get blacklisted.
Access the internet via an anonymous SIM card (tethering), then use TOR to access your VPN (paid in Bitcoins, money order or whatever). This gives you a decent level of anonymity, if need be.
Also, you can't trust what a VPN service says about where their servers are, how they're manages, and so on.
So you need to distribute trust. [Please see my other recent comment about how to do that.]