Data is exposed in two primary channels. One, when it is transported over networks that are not under your control, and, another, when it is at-rest on a device that leaves your home. Any private data should be encrypted in both scenarios.
Private data should always be encrypted when passing over untrusted networks. This is pretty common today, and it is becoming more and more rare to see exceptions. Judge those exceptions harshly and kick them to the curb.
Session encryption is where your client device and the service you are connecting to agree on an encryption key and all of the information passed back and forth between the client and service are protected by this encryption. This is pretty ubiquitous these days. For web browsers it is easy to tell if you are protected by looking at the web address. If it begins with HTTPS:// you are protected. If there is no 'S', and it's just HTTP://, you are not. Protection is so common, and easy--it's a real red-flag about a service when you see that it is not protected.
For non-web browser services like email, and apps, it is less easy to tell whether you are protected. Only use services you have reason to believe follow best practices here.
Virtual Private Networks (VPNs) use similar logic to Session Encryption described above, a VPN client on your device and a VPN service agree on an encryption methodology and the traffic in between is protected from observation. If you are using a VPN to access untrusted networks, i.e., to consume services on the Internet, VPNs are not an adequate security solution and cannot replace session encryption. Unlike Session Encryption, the encryption provided by the VPN ends at the VPN server. Traffic from your device to the VPN server is protected by VPN encryption, once it passes the VPN server and goes out to the wider Internet--the VPN's encryption is lost.
VPNs are a security solution in circumstances where you want to securely connect trusted systems and networks across the public Internet, but are of little security value when used to connect to the public Internet itself. For our purposes, in the context of this 3rd principle, Encryption, VPNs are a fail.
There are important privacy implications of VPNs. For more information please see the VPN discussion in the Privacy section.
Data on devices that may leave your personally controlled space should be protected by encryption to prevent unauthorized access. If your mobile device is lost or stolen and NOT protected by encryption, a conservative view presumes the unprotected data was exposed.
Microsoft Windows and Apple computers can both be protected with full drive encryption. I think Apple was ahead in adoption of this, but it is now included as an option with Windows 11. For Windows 10 I needed to spend $100 to upgrade to a Pro license and then do some technical shenanigans to set-up Bit-locker. If it is an option on your device--be sure it is enabled. If it is not a native option--either get a third-party solution, make sure it never leaves your home, or destroy the device.
Pretty much every phone I'm aware of today has full encryption as either the default or an easily enabled option. Make sure yours is enabled and your device requires a PIN or biometric authentication to activate it.
