Cellular networks should definitely be considered compromised networks. I ditched SIMS some time ago. https://jmp.chat/ and MySudo are both good options. 

If a SIM is absolutely necessary for 2FA, silent.link provides international inbound call/text sims that roam on networks, providing more privacy. 

If the service is one of the few that does not accept VOIP/XMPP (Jabber) numbers at first, you can often update to one after the initial text verification.

nostr:nevent1qqsqu7z77d7yc2ycug8sz7f6qhne7pddapze0tayje2xmjz6h04muzcprfmhxue69uhhyetvv9ujumn0wd68yurvv438xtnrdaksygzwhzp3p445ak2ud4n289dn6084txu9ltkg7a53mt75qk5jup2ad5psgqqqqqqsjx225m

As far as the VPN attack, I'm familiar with it. It's just one more reason to use Android/GrapheneOS and Linux/QubesOS. Apple still hasn't fixed multiple VPN bipass vulnerabilities on iOS...since 2020.

nostr:nevent1qqs04f3tg24vy7pe3sayklsaked0yn8qk3dyy36thp0dtl5fjnwgxjgpr3mhxue69uhkummnw3ezucnfw33k76twv4ezuum0vd5kzmqzyp8t3qcs666wm9wx6e4rjkea8n64nwzl4my0w6ga4l2qt2fwq4wk6qcyqqqqqqg028t4c