You can tell your mom a VPN is hardly necessary:
The same is true for saying you should change your passwords every 30 - 60 days. NO, that is just an old wives tale from some guy that "thought" it would protect you. That long-standing rules was merely some guy's hunch that it would protect you, when in fact it causes people to make less secure passwords.
What is imperative is that every password needs to be unique from all your other passwords, and that requires a password manager.
If you happen to have an account on a site for some company that doesn't know what the fuck they are doing, (looking at you SONY), and they were hacked and hundreds of thousands of passwords were downloaded, in clear text by the way, then that password being unique only to that site is what protects you.
I just popped up my password manager, Bitwarden, and created a password as an example. "WdRH2zedA2NSxT". It's unique as it will only be used for demo purposes. Do that for every account you have... be it just a forum you seldom visit or your financial accounts.