As others have mentioned, DNS is probably your worst enemy. It doesn't take much technical knowledge to just create a DNS server and start logging all domains you're accessing. Say, to tell mom how often you're browsing porn or something.

Manually configuring DNS servers in your OS would resolve this issue, but also using VPN like mullivad would just bypass such worries with 99% certainty.

Or just keep using mobile data, because why not

HTTPS encrypts traffic making it hard for packet sniffers to know what is being transferred. If you are using unsecured WiFi, there is a chance of DNS manipulation like, switching domain names etc. If you're using VPN, you hide your identity (IP) from the websites you visit and also if its configured to use their own DNS server, you can somewhat eliminate the DNS manipulation.

Anyways if you're not sure, try to use a VPN and HTTPS everywhere and use firewall to lock down all your exposed ports. I don't know how to configure firewall for port lockdown in android, but Rethink DNS (check Fdroid) is kind of helpful here.

I think there's some fundamental misunderstandings about what each technology does.

• HTTPS encrypts the data you send to each website. However, there's no guarantee a website will respect that setting (though they often do) and it may or may not include ancillary data and trackers from third party JavaScript; if there's an issue, your browser may fallback to HTTP mode. DNS requests will almost always be unencrypted, so each gateway between you and the website can at least see where your IP address went.
• VPNs essentially act as a proxy for your internet browsing. What that means is that anyone who could sniff your traffic can see that you established an encrypted tunnel to the VPN IP, but they would have to be able to track that second IP address to see where you were going. Each gateway operator between you and the VPN can only see that you connected to the VPN, and the VPN will forward all traffic requests you made back to you via an encrypted tunnel. Good VPNs will also send your DNS requests to their servers, so all anyone can see is that your connection is wholly tied to the VPN.

In your case, your brother could mess with the DNS on the router to send you wherever he wants when you type in google.com, he could set up a hosts file to block you from going to specific sites or IP addresses, or he could manipulate any unencrypted data packets you receive.

Using your phone internet just puts your privacy in the hands of your phone's network operator instead. How much do you trust them not to rat you out?

If you want anonymity or ways to get around blocks, you need to use a logless VPN at minimum or something like Tor, depending on your needs.

Kind of depends. The one thing that an untrusted network may be able to do is adjust routing tables. Some systems and some VPNs may be protected from this, some may not. At least the https connections should be secure but where you're connecting can be trracked. DNS is vunerable too unless you set your browser system to use a secure connection to DNS server you trust.

The HTTPS everywhere extension only covers the browser. Other applications might be vulnerable. If he controls the network, he could hijack your DNS and intercept all other connections. He could also use a downgrade attack to force an insecure version of TLS and compromise that.

But that's extremely unlikely, unless he's either a skilled attacker or can use tools like metasploit.