You're thinking of these as Single Points of Failure, but they're not in parallel; they're in series.
Consider the attacker: a service you've visited that has your "outermost visible" IP, and wants to know who you are. From their perspective, it doesn't matter if your ISP is willing to give information freely, because they don't know who your ISP is until they've already gotten the information from your VPN provider. Each layer prevents the layer below it from being attacked, until it is removed.
Yes, a state actor could just ask "every ISP at once" to look at their logs of OpenVPN-protocol traffic and identify the packets that match the ones that arrived at the service. But state actors aren't the usual attacker profile, and require entirely different strategies (e.g. getting human "proxies" to use Internet cafes for you.)
Ignoring traffic analysis, you shouldn't have to trust your own ISP while using a VPN. Ignoring traffic analysis makes sense unless you're a high profile criminal, and it affects all low latency tools, including Tor.
They run massive PR campaigns with carefully structured press releases designed to convince the kind of people they want to detain that TOR is private and safe for any kind of activity.
Because of this people tend to get swole when you suggest that TOR is not any good for protecting your privacy because lots and lots of people have been arrested, tried and convicted after trying to use it to hide elicit activities.
The US government has made millions of dollars of investment into TOR:
AFAICT, in all current cases it isn't Tor itself that's been broken by the authorities. It's the client end that has been compromised; and in a way that isn't specific to Tor. Had these users been using a VPN without Tor, they could have been compromised in largely similar ways.
Please, find me a counter-example - because I haven't seen one.
Admittedly, one thing that has happened is that the authorities are able to target compromises in the Tor Browser specifically, rather than in a wider range of clients that non-Tor VPN users might use. But they're probably more vulnerable than the Tor Browser is anyway.
It's important to consider here that the average person using TOR is not a network administrator.
And that they'll follow the instructions that come with the TOR browser and assume that it's safe.
So when I say that TOR isn't safe, I mean that it isn't safe as it's presented.
Saying that TOR isn't safe if you know what you're doing is like selling someone a car with no seatbelts and then telling them well if you knew what you were doing you'd install seat belts yourself and then the car would be safe.
> So when I say that TOR isn't safe, I mean that it isn't safe as it's presented.
Sure. But it is no more dangerous to use Tor on its own than it is to use a VPN privacy service on its own. So your claim that the US Government is enticing people into using Tor to entrap them is nothing more than an unsubstantiated conspiracy theory. It would be easier for governments if criminals didn't use Tor.
Chrome is arguably more 'secure' than the ESR Firefox that the Tor Browser is running on. If you are realistically concerned about this type of targeted attack, you should probably be browsing with Chrome isolated inside of Qubes/Whonix.
My ISP is AT&T. I don't think there's much the VPN provider or their ISP could do to make things worse for me. The worst case scenario is that they are as bad as AT&T and there's a non-zero chance they are better.
The worst case scenario is not just that they're as bad as AT&T. The worst case scenario is that they're as bad as AT&T and still provide a false sense of security.
Even if you're diligent, other users with your (ISP, VPN) provider pairing might not be, and they could be harmed as a result.
The comments security nerds make here on HN aren't one-on-one individualized consulting (n.b. that's paid work in my field), they're general advice for the public to refer to.
