Firefox’s free VPN won’t be using Mullvad’s infra though; it’s hosted on Mozilla servers around the world (if beta testing of the feature done in late 2025 tracks).

…oh.

How long before that data gets sold?

Data is encrypted over VPN tunnel by design.

The data is indeed encrypted, but both you and the VPN provider have the keys - that’s why they advertise no-logs policies, because they have access to the data you send, such as which website you’re attempting to visit.

Can a VPN provider do man in the middle attacks if they wanted to? Like sniff my /api/login calls and get my password? My gut tells me yes but I don’t know enough to be sure, I feel.

If you have to install any closed-source software to use the VPN, the answer is oh hell yes, they can install a root cert. If they are clever they can remove it when you disconnect, so it will not be noticed by most people.

Even if they require no proprietary install, by definition the VPN knows every IP address you connect to. Even if you use DoH. Even if you use Quad9 DNS. The VPN knows you visited midwestsluts.com

If you want privacy, either spin up your own selfhost OpenVPN, or use the Tor nodes myself and volunteers like pay to make free for you to use. Tor node operators can’t tell what site you are visiting (if they run an exit node they can see the site – but don’t know your IP; if they run a Guard/proxy node they can see your IP, but can’t tell anything about what sites you visit or what data you get)