Running a VPN as a software application on your primary workstation solves part of the problem. The application encrypts the outbound connection. What it does not do is prevent the operating system from logging that a connection occurred, where it went, and when.
This matters because operating system telemetry — whether voluntary or embedded — is a data surface that exists below the application layer. A software tunnel cannot seal a surface it runs on top of.
Hardware-level deployment changes the equation. When a VPN is configured at the router level, the encrypted tunnel is active before the workstation initiates any connection. The device never sees an unencrypted path. The ISP sees only the encrypted tunnel endpoint. The operating system has nothing to log because the decision has already been made at the network layer.
NordVPN holds Platinum designation in the RuleDraft verification framework for network isolation — specifically for its no-logs architecture, independent audit record, and compatibility with hardware-level router deployment. It is the strongest available tool in this specific category.
What it addresses is one layer. The surfaces that exist above and below it in the stack are a separate, documented problem — and network isolation alone does not close them.