Tor.

Also, anyone can get a VPS in almost every country and run an OpenVPN or Wireguard server without any authentication requirements, which you can do by literally just installing it from your server distro’s package manager. All that’s needed is a place for people to share the domains/IP addresses of their servers.

But yes, this would be bad for security as you’d have no way of verifying if the server isn’t running a bugged implementation of the VPN protocol or isn’t actively logging everything (which, BTW, is also a problem with fediverse instances that I don’t see enough people who “switched to the Fediverse for privacy” talking about). A VPN like this might be okay for torrenting, watching geolocked shows on streaming sites, hiding stuff from your ISP’s marketing team/university/employer, and confusing basic web trackers, probably, but not great for serious privacy or anonymity. Tor has mechanisms built in to safely handle one node being compromised, but even that’s not perfect. For example, if all three nodes on your Tor circuit is compromised by the same entity, you’re flat out screwed.