(no title)

Your first layer of defense is assuming its hard for a bad actor to get to that spot (which this attack is showing is possible).

Now the next thing the bad actor needs to do to compromise your traffic is deal with HTTPS/VPN. The only real way to do that would have to be to convince your client that the certificate from the CA that's signing the https traffic received from the webserver/VPN provider is trusted/ (i.e a classic MITM with a compromised client and a local CA).

Most clients will warn you that this cert is unrecognized, so with an untampered client unless you just clickthrough the cert warnings you will be protected. However, people often ignore cert warnings and that means that all your traffic is now cleartext for the bad actor.