I don't have a laptop available, or I would test this myself, but I'm curious if a VPN can protect you from targeted attacks from the network you are tunneling through.
Say I have a windows laptop with RDP enabled and connect to a public wifi. Can someone on that hotspot's network, if that network's firewall allows inter-device communication, detect my laptop and start brute-forcing the RDP connection (for example) while I am connected to the VPN? I expect they can in the case of a split tunnel VPN, but is that true full tunnel VPN?
What would be some mitigations in this case? One mitigation I can think of is the private/public/domain classification in the windows firewall. Mark that public wifi as "public" and disable RDP in the firewall for public networks (if it's not already, though I think it should be). Better yet, set up explicit rules that allow only IPs or ranges you are in control, and use only non-standard private ranges in the networks you control (avoid 192.168.0.x or 192.168.1.x or the like which come pre-packaged with most network gear, or at least consumer grade stuff).
What other risks are there when connecting to a random wifi network other than the ones the VPN vendors advertise? Frankly, I think some of them have already been mitigated by HTTPS, which in the vast majority of cases is good enough, and you shouldn't use unencrypted HTTP in the first place.