Hello, Belikewater
Several comments for you.
Regarding Tor, simply having it "turned on", and even properly configured does
not mean that all (or any) of your network traffic is being routed through the Tor network. Any program (i.e., web browser) must be properly and specifically configured to use Tor. Otherwise the Tor daemon is just sitting there doing nothing, and all your traffic is "cleartext".
Another little known (it seems) fact is that you need not have Tor "installed" in order to use the Tor Browser. It's quite self-contained these days.
The Tor project used to (maybe still does) provide instructions for "
torifying" various net-facing programs, even browsers other than the Tor Browser Bundle. Any browser you think is using the Tor network should be verified as doing so by loading a site designed to inform you of your status, such as:
https://torcheck.xenobite.eu/
As for VPNs, from Wikipedia:
...some VPN services, especially "free" ones, can actually violate their users' privacy by logging their usage and making it available without their consent, or make money by selling the user's bandwidth to other users...
Surely you have heard the axiom "Security is not a program, it is a process". The main thing you need to ask yourself is "What is my threat model"? If you'd like to keep your little sister from reading your email, a standard Slackware install with a login window will do the trick. If you're trying to hide your activity from any given government, no login window, and no VPN on the planet will save you...
I like to put it this way:
"If it's not encrypted, it's not private, and if it's not proxied it's not anonymous"
HTH!