"Public wifi", not "your own connection". You have two options for who you decide to trust:
1) A VPN company, who you've had the opportunity to research, who's primary business and reputation is based on handling your traffic.
2) Each and every WAP you connect to, in many cases with no real means to verify it's actually e.g. the official WAP of the hotel you're staying at, for something that likely costs the owners money rather than being seen as a profit center in and of itself. Their primary business and reputation is staked on something completely different than their handling of your traffic (be it their coffee, their accommodations, whatever.)
If you trust #2, statistics eventually comes into play - you will trust someone who shouldn't have been trusted. This also ignores that "public wifi" frequently performs MITM attacks for the... not entirely unreasonable purpose of providing login gateways, terms of use, etc. when you initially open up your web browser. But if you're already MITM traffic, it's not as big a stretch to substitute your own (poorly vetted) advertisements and affiliate links for a little extra revenue. Even if you don't do that, there's no guarantees your MITM tech isn't accidentally weakening security ala Superfish.
I think you put far too much trust in one of thousands of clone VPN services. There's no reputation to taint, there's stock standard scripts running on commodity VPS boxes they rented from somewhere else. I would be shocked if at least some of the most commonly used ones weren't run by people looking to sniff credentials. You're paying to pipe all of your sensitive information through some random persons box, which is just ludicrous.
you should trust your end points. assuming you trust the machine you are using, the other end of the tunnel should be just as trustworthy. that's great if you trust a company; but what incentive do you have to trust them?
I also uninstalled Flash.