I think that its unrealistic to assume that nobody is watching you (because we know thats untrue now) and that nobody bad is looking to harm what you do. It is trivial to inject an exploit into an unprotected webapp.
The previous poster is talking about the 'old definition' of VPN. If you don't have a office with a server you don't need to use a VPN to connect to it (and each other), since it's on the web.
What does that have to do with anything? If you're using web based services you're even more vulnerable to 3rd party intervention than you are if you were using a server in an office, especially if you're working from a coffee shop/etc.
Any sort of shared office space is vulnerable to this too.
I think that its unrealistic to assume that nobody is watching you (because we know thats untrue now) and that nobody bad is looking to harm what you do. It is trivial to inject an exploit into an unprotected webapp.