There are a lot of VPN services that claim god-like powers of privacy and security, with perhaps less than compelling evidence to back up those claims. No one doubts Google's technical ability to create a virtual private network, but given the company's status first and foremost as an advertiser, you'd be forgiven for being skeptical of the VPN built into the Google One service. According to an independent audit, it's pretty okay. Which is nice.
Google commissioned the NCC Group, a UK firm specializing in security and software verification, to create the public report on the Google One VPN's bona fides. The 19-page report by a team of six researchers is available for free as a PDF. You can read it yourself to check the team's methodology and conclusions, but to summarize, it says that the VPN has "a very robust security posture" and that its encrypted traffic tunnel is an effective protection against the most common methods of attack.
Of the fourteen individual issues that the team initially reported to Google, ten were promptly fixed and verified, one was "partially fixed," and three Google countered were "acceptable risks." One of these NCC identified as a medium-severity issue, which would require a more complex change to the system increasing communication steps (and, presumably, decrease performance). Despite the four outstanding issues, NCC determined that the Google One VPN is in line with most competing products.
While Google's internal review system wouldn't be enough to 100% guarantee that hackers or rogue employees couldn't access private data, the system of checks, verifications, and audits is in line with industry standards. NCC noted that while the encrypted traffic tunnel of your basic VPN design coupled with Android's built-in APIs for VPN use are indeed enough to stop conventional recording of phone and web activity, Google has sufficient data and technical know-how to track users without that access if it wants to. (This is the same kind of flag security proponents have raised when evaluating Google's new FLoC cookie alternative.)
The Google One VPN is a free perk for subscribers at the 2TB or higher tiers. At the moment it's only usable on an Android phone, but Google says it will be available on iOS, Windows, and MacOS "soon."