Needing to use a VPN because Ledger can't be trusted is the real threat.
Wrong. Firstly, that is not a threat at all. You are just bypassing some restrictions by using a different IP. Secondly, if you can't trust Ledger's software or hardware then using a VPN will not help you with anything.
I didn't say using a VPN is a threat. I said needing to use one. In other words, if Ledger's code is so unsafe that one needs to use a VPN because of it, that's proof Ledger's code shouldn't be used in the first place. Ledger's code is poison.