“or something” putting in the work here

VPNs aren’t really how you even go dark. Even with one every website you log into still knows exactly who you are - you did hand them your username after all - and they will often also store cookies or other identifying information with your computer to keep track of you regardless, and that’s just the beginning of their tactics. They can also just grab your setup details, like screen size, browser, etc. and just construct a profile to give them a decent chance of just guessing that your two separate visits to their site are from the same person. To really “go dark” you need a separate account on a different internet network that you haven’t got your name on from a computer you use nowhere else and keep in a faraday bag at all times you aren’t using it, or something equally paranoid. And also Tor, Tor is pretty good. If you’re actually buying anything online stealthily, this is unfortunately one of the few realms where crypto has a genuine undeniable use. I’ve heard Monero is hard to track (hence why it’s a common choice for malware crypto miner programs) and is the preferred medium of exchange, but that advice is dated and might have been from a fed for all I know. Even then, unless it’s a purely digital good, you still have to hand some information to somebody to receive a good, be it a drop-off location that they could stick around at and get a look at you from, or worse, an address that you’re associated with.

I justify my lazy opsec by telling myself I’m good at falling through the cracks. Maybe they forgot me in the large database they’ve got going.

The point of opsec might not be to protect yourself but to protect others who actually need it. If everyone practices operational security, those who actually need opsec (activists and such) will blend in and thus be protected. If only activists practice opsec, activists will be quickly identified and smothered.

If everyone “goes dark”, those who actually need to go dark are protected.