Everything I see here has involved a LOT of assumptions that are unstated.
When ever I see discussions like this, there’s a question that must be asked:
What hunts you?
If you do not have a clear idea of the actual threats you face, you can not begin to determine if your countermeasures are sufficient.
As an example, I have been in conflict with right wing hate groups in the U.S. since 2010. If what I am doing is within the U.S. and publicly visible, I know that I will encounter corporate security, DHS or FBI undercover operations, and I must anticipate malicious prosecution and frivolous litigation. I have been involved in countering the Russian invasion of Ukraine, there I can expect all of the domestic troubles plus Russian intel.
Tor does not work for much of what I want to do and that has been a steadily increasing problem, it’s simply shunned by a lot of web sites. It still works for quick recon part of the time and my most common use case is employing it as a means of remote access, employing ssh as a hidden service.
VPNs, depending on how heavily they are used, are also fading as an access method. Many sites now lump VPNs into the same category as Tor - undesirable. You can just forget about anything that involves a financial transaction, and most of the major social media sites will also treat you as an unwanted prowler.
That begin said, I have used a VPN as a layer between Tor, ensuring that any foolishness related to Tor usage dead ends in an uncooperative jurisdiction. Keep in mind that quality VPNs like Mullvad and Proton offer multi-hop services. This is more or less a similar degree of protection to what Tor offers in the moment - you get on net in one place, get off somewhere else. If you onboard AND offboard in uncooperative jurisdictions, why do you need Tor? I can only think of one case where Proton gave up a user and it was highly situational - the perp, victim, and a lot of the network were all in Switzerland. If you’re not a Swiss cyberstalker, trouble seems highly unlikely. And with Mullvad’s no ID required payment options, they’re even safer.
I have seen it discussed, but I have never done the process of using Tor to connect to a VPN that permits TCP based sessions. This was being used in situations where the operator felt the need for Tor’s anonymity, but the destination refused Tor sessions. Laundering the Tor usage through a VPN got them in without surrendering anonymity. As above, VPNs are getting the same love that Tor does for many services, so this may also no longer work.
Given my threat model, a portion of what I do any more comes down to a burner phone with a generous tethering plan. I bridge a VirtualBox VM such that it pulls an IP via the USB tethered phone, and that’s fine. A subpoena or warrant would expose the phone, but I pay cash. A little more digging would get to the location data. Then someone would need physical surveillance or convincing a judge they need to paw through all the other subscriber data in the area. Actual physical USB tethering matters here, WiFi is NOT sufficient, read Jeremy Hammond’s indictment if it’s not immediately clear why this is the case.
A couple of years ago I did a stint working for an expert witness and we were servicing U.S. federal public defenders. DNS leaks were THE way that people were getting into trouble. How I solve for that with VirtualBox is something akin to the Whonix layout - a VM that’s the client side that uses a gateway VM for access. The gateway VM has static routes to a VPN provider and no default. If the VPN is up, things work. If not, they don’t. That config doesn’t leak. I presume same is possible with Qubes, but after nine years of periodically sampling I am just now starting to put it to work, so I don’t have a rigorous solution yet. It was easy to reproduce what I describe here, cloning sys-net and adding OpenVPN. I am not at all sure that’s the right way to do things.
So, I will say again …
What hunts you?
If you can’t answer that with some specificity, it’s hard to make well founded judgments about countermeasures.