This might be true in your case, but generally we cannot validate this
In Sweden we have transparency in court, all documents are open to the public (the one exception is cases involving children). OVPN also have a a transparency page where you can read more here https://www.ovpn.com/en/transparency
I say it again, there are hard facts from transparency, Swedish court, Swedish laws, logic and reason. But when all proof say otherwise, still without proof I hear things like they are “storing those logs and selling them in raw form, or aggregated is a way to make money”. When we have explanations that are more probable than that, then we are talking about conspiracy theories. Like Wikipedia say
A conspiracy theory is an explanation for an event or situation that invokes a conspiracy by sinister and powerful groups, often political in motivation, when other explanations are more probable. The term has a pejorative connotation, implying that the appeal to a conspiracy is based on prejudice or insufficient evidence.
Conspiracy theories resist falsification and are reinforced by circular reasoning: both evidence against the conspiracy and an absence of evidence for it are re-interpreted as evidence of its truth, whereby the conspiracy becomes a matter of faith rather than something that can be proved or disproved.
We could say the same about any company, organization and software, there is a hidden agenda or a hidden clever code that looks like something else.
As an example, how can you prove to me that there are no hidden clever codes in IPFire that looks like something else? “Deep state” may have hidden it anywhere, maybe even in combination of files in a way that is impossible to know if you don´t know their huge multi country zero exploit organizations thousands of secret exploits (that organization also actively daily inserts new exploits in thousands of targeted open and commercial software every day). Well, we cant have that kind of proof, we must have trust. Most of us have to trust IPFire, based on the facts we can find, without being able to examining the whole source code for IPFire, drivers, kernel, installed software etc.
If we randomly download and install software, we probably will get malware. But with some research we can find software that we in the end judge trustworthy. If we randomly chose a VPN provider, we probably wont will get what we thought. But with some research we can find VPN providers that we in the end judge trustworthy.
In the end of the day we must try to make rational decisions based on the knowledge we actually have and the evidence we actually have, we must ultimately be able to choose to trust someone. And that’s something we have to be able to do ourselves, we should not let anyone else make that decision for us (what is that person’s agenda? )