I tend to use Amnezia, whose developers are from Russia. Unsure where they run their business from (wouldn’t be surprised if it’s from Dubai).
RAM based servers don’t mean much when Mullvad employees can SSH into it and have admin access.
“Can’t do anything” is a stretch, but you’re right that DAITA is a valid defence against some forms of traffic correlation attacks.
This can’t be taken for granted. At least one VPN provider PG recommends maintains account identifiable data to prevent abuse.
And VPN providers, depending on their jurisdiction, may have to KYC paying users.
Since you bring up Mullvad:
… in some situations we might process your personal data if you, for example, are making payments by a bank wire, PayPal, Swish, Stripe
… If you choose a payment method where you are providing your personal data to Mullvad, such as PayPal, we will process and protect your information according to the GDPR and other applicable legislations.
“protect your information according to … applicable legislations” is a euphemism for “you’re at the mercy of Swedish laws”, which is OP’s point, and to their credit, Mullvad is honest enough on this:
The data must be kept for the statutory retention period described in applicable local laws such as the Swedish Accounting Act (some information must be stored for seven years from the end of the fiscal year).
Besides, Mullvad’s email support (going by MX records / mirror) is all Google, so that’s there, too.