Your ISP can still see IP addresses you connect to, they forward all your traffic.

No they can’t. The ISP cannot see any traffic that goes to or from you while you are connected to the VPN, only that you are sending encrypted packets to/from the IP of the VPN itself. It’s the VPN that then sends your requests on to the site you want to see, and routes the reply from the site back to you.

DNS requests are a separate attack vector, but VPNs almost all offer a means of protecting those from scrutiny as well, and as you say, DNS over https/TLS is also resistant to snooping.

There are some more esoteric ways of spying on your traffic, but the likelihood of any of it being used against you is remote unless you are on the shitlist of a major corporation or government.

Ad blocking does more for less cost than getting a VPN will ever do

Ad blocking mitigates a different risk, which is that trackers on pages you visit will report your behavior to aggregators who sell that data. By all means, use an adblocker. Maybe two. But also be aware that some adblockers sell your data to advertisers (e.g., Adblock Plus: Ublock Origin appears to be less problematic). Or, if you’re a bit more technical, you can set up your network so that known data-collection output isn’t sent. There are even lists of known snoopware endpoints you can subscribe to so you can more easily block them. But the ingenuity of the data collectors is extreme, and it’s a continuing struggle.

Another potential source of leakage is your browser fingerprint (there are sites that’ll tell you how unique your profile is-- the answer is generally “enough to identify you.” There are extensions that can conceal that too.