Mullvad has proved it doesn't collect. It's laughable to even suggest it.
They have been raided multiple times, tons of audits, does bleeding edge research on privacy preserving tech, donates to GOS, etc etc. You don't see this kind of VPN company at all because none exists.
GrapheneOS already does this, since forever. Android can't stop copying GOS. Maybe they'll add a network toggle after a few years and call it a privacy win.
Dangerous how? Create a CAA record which pins your CA and only allow dns01 challenge. Problem solved, a BGP hijack can't issue a valid certificate for your site.