He's referring to the articles that have been on the net about the Feds getting a hold of the VPN servers. So no, he's not tinfoil hat material. However, there are things you can do about that. I use VPN.AC and they now have double hop. So use that in a not so friendly country to the U.S. And since VPN.AC doesn't use port forwarding your IP won't be exposed. Disable WebRTC and ALWAYS clear cookies and cache. I find when I hit the clear all button in my browser Pale Moon, the HTML5 local storage goes away too which is a good thing. Then you need to disable Canvas fingerprinting in a not so, "I have no fingerprints" sort of way. In Pale Moon it's in about:config. Just search for the term canvas and make the boolean string from false to true.
Okay. Anti-virus and all that rot. Look no further than Bitdefender FREE or Immunet. They are very light weight, don't use an asinine amount of resources, plain and simple interface and are Cloud-based. It's all you need in terms of basic definition-based anti-virus. Then I would toss Ransomefree on there which has been developed by military cybersecurity experts to help guard against ransomware. Add Sandboxie to the bunch with access to the browser's profile to ease cumbersomeness and you are good to go. I would also use NoScript with base 2nd level domains on by default and throw in there uBlock to protect against malicious ADs which there are plenty. Now there are ADs which use Webrtc to grab your IP and try to get into your router turning it into a zombie. I can't tell you how many infected routers I see try to access my WordPress blog. All go to 403 land.
Also, check out Rollback Rx. This may help if things go awry. You have a boot option on Windows start. You press the Home key and use the arrow keys and Tab key to pick a restore snap shot to restore your computer to a time period when a virus did jack up and own you. Of course, nothing beats a nice clone to an external drive every once in a while. Note: Users of Truecrypt, Veracrypt, etc shouldn't use Rollback Rx. It will mess up your boot loader.
Or scratch all this carp and use Linux Mint in VMware Player for Internet browsing. LOL