Both of them really advertise too much (IMHO) to be trusted. They rely on introductory pricing and hoping people don't realize and get billed at a much higher rate, a model I personally hate.
But ExpressVPN has an additional reason: ties between it, its founder and Israel. There's a BDS argument against right there but additionally, there are accusations that ExpressVPN traffic is or can be monitored by Israeli intelligence.
That last one is a risk of many VPNs, which is why you have to be careful about who the owners are and where the company is incorporated. I personally prefer VPNs that are located in more privacy-focused jurisdictions (eg Iceland, Switzerland).
Mullvad is a popular option on HN. I'm also relatively positive on PrivadoVPN (located in Switzerland). Some Redditors question the quality of the service. So far it's been fine for me.
Given their need to advertise with pretty much any YouTube channel willing to take their money, I'd be inclined to question the quality the likes of NordVPN and SurfShark.
It boggles me how one can see them as anything but sus after tops 30 minutes of looking into it. You get that all those "top 5 vpn" sites and youtube recs are sponsored, right?
