Generally not. Anything with authentication would be using HTTPS encryption. So there will be two layers of encryption: the VPN encryption and the web site’s HTTPS encryption. The VPN provider can’t replace the HTTPS encryption because your browser would identify it as being encrypted with the wrong certificate and it would block the connection.

Although…given that they control the browser, too, I suppose they could code it to remove those safeguards, but that would not go unnoticed for long.

When you use a VPN, it basically replaces your ISP as the intermediary who can snoop all your traffic, so the real question is who do you trust more: your ISP or Mozilla?

If you have to install any closed-source software to use the VPN, the answer is oh hell yes, they can install a root cert. If they are clever they can remove it when you disconnect, so it will not be noticed by most people.

Even if they require no proprietary install, by definition the VPN knows every IP address you connect to. Even if you use DoH. Even if you use Quad9 DNS. The VPN knows you visited midwestsluts.com

If you want privacy, either spin up your own selfhost OpenVPN, or use the Tor nodes myself and other volunteers pay for, to make free for you to use.

Tor node operators can’t tell what site you are visiting (if they run an exit node they can see the site – but don’t know your IP; if they run a Guard/proxy node they can see your IP, but can’t tell anything about what sites you visit or what data you get)