This is not the correct conclusion.
The correct conclusion is: Don’t use http. Period. The only time an url should begin with
http: is if it ends with
Let’s say you’re an activist that regularly visits
http://freedomforcats882723416.org. A repressive regime does not agree with your agenda. A possible attack is to compel / coerce / compromise the hosting service or its ISP. If you use http, all of your communications will be intercepted.
If you believe that the content of your communications doesn’t matter as long as the anonymity of your routing is preserved, then you just haven’t thought it through. See Docs: Modern Privacy Threats.
It’s also not correct to say that tor -> vpn is “stronger”. You’ve simply shifted risk from random exit nodes to a permanent vpn. So while you’ve lowered the risk of being randomly targeted by an exit node, you’ve increased the risk of being specifically targeted by someone else.