I agree that https is not at all the only way to know if a website is legit, since most listed sites by google are https, (even if they are seo garbage filled with ads and trackers, but thats a different problem). However if it is HTTPS, the VPN server is only effectively able to read what someone sitting across from you in a free WiFi cafe could see when sniffing your connection as they need to decrypt their encryption for the web server