The phrase in the title is a common trope that comes up when VPN services are discussed. While this statement is technically correct, it can be misleading, as it implies that all providers handle law enforcement requests and prepare for worst case scenarios similarly, so their conduct cannot be a differentiating factor when you evaluate them.
For “privacy” yes, almost entirely.
If your VPN isn’t routing to your home network so you can safely access selfhosted applications then you’re basically just sharing your traffic with a total stranger and trusting them not to run telemetry etc.
It depends who you trust more, your isp or your vpn provider. Isps are not known for doing right by their clients
You also have to trust your vpns isp.