Because they use the official apps/web-vault, they don’t need to implement most of the vault/encryption features, so at least the actual data should be fine.
Security audits are expensive, so I don’t expect it to happen, unless some sponsor pays for it.
They have processes for CVEs and it seems like there wasn’t any major security issues (altough I wouldn’t host a public instance for unknown users).
If VPN’s actually won’t be able to protect its users from copyright claims anymore, there’ll still be anonymisation networks like I2P (at least so long as encryption isn’t banned).
Yes, it’s slow atm, but if it was included in more torrent clients and enabled by default, speeds would likely get better.