Your internet traffic is already encrypted in transit, that what the “s” in https means.
You don’t get the “s” until you have the “https”. Your DNS request which turns www.TheWebsiteYouDoNotWantKnown.com into its IP address happens before you have the “s” in “https”. By default, that request is sent in plaintext, and frequently by default, to your internet service provider. So an outside monitor may not be able to see the contents of the website once you establish your https connection, they likely know that you went there and have a good idea how long you stayed on it.
While its also possible to encrypt the DNS request with DoH or DoT, its not on by default and requires the user to take configuration actions in their browser. If they’re looking at VPNs for the first time, they likely don’t know this and are sending their DNS requests in the clear.
sentientRant@lemmy.world 13 hours ago
VPN also hides unencrypted DNS and non-browser traffic which are sometimes not TLS.