Firefox’s free VPN will offer 50 gigabytes of monthly data, which is pretty generous for a browser-based VPN. A Mozilla account is required to make use of it, which isn’t a hardship (they’re free), but is a point of friction some may wish to know upfront.
Generally not. Anything with authentication would be using HTTPS encryption. So there will be two layers of encryption: the VPN encryption and the web site’s HTTPS encryption. The VPN provider can’t replace the HTTPS encryption because your browser would identify it as being encrypted with the wrong certificate and it would block the connection.
Although…given that they control the browser, too, I suppose they could code it to remove those safeguards, but that would not go unnoticed for long.
When you use a VPN, it basically replaces your ISP as the intermediary who can snoop all your traffic, so the real question is who do you trust more: your ISP or Mozilla?
assume the VPN provider is adversarial
now re-run your analysis
This is true regardless. HTTPS encryption keeps a man in the middle from seeing your URL. They just get the domain name, which is a lot, but it isn’t your credentials.