Sure... but (see above) who will be after your traffic, given the difficulty of cracking it. It is still much easier to break into your hotel room and steal your laptop, etc.
Attackers aren't always after anything. Your data might actually be irrelevant. The list of motives extends to simply being a menace or people using you for "target practice".
https://www.shodan.io/search?query=PPTP
I don't think people even begin to grasp the scale of malicious activity on the Internet nowadays. Today alone there have been 12832 SSH connection attempts that my home firewall has blocked and logged, 35 in the last minute alone. Thirty-four of those are from the same host in China (240e:f7:4f01:c:0:0:0:0:3) which is doing a pseudorandom walk of IPv6 address space which indicates a huge amount of bandwidth as there's no reason for my home network to be targeted, and other people are reporting probes from this address too which means that they must be hitting a huge swathe of address space at the same time. The amount of bandwidth necessary to do that suggests a well funded, probably nation-state hacking effort just randomly looking for vulnerable hosts.
That people are prepared to whack about the IPv6 address space at all is quite amazing. To even make it sane to do it means that someone has, on the balance of probabilities, had to start from using
captured traffic from
somewhere to even find a subnet to probe at all. I have a /48 allocated to me, which mean there are 2
16 possible /64 subnets (each with potentially 2
64 valid host addresses) on my network alone, so finding one by chance that is in use is unlikely. Then for the subnet they
have found they have to find a host, potentially one of 2
64 but they seem to just be pseudorandomly scanning the bottom 16 bits, still 2
16 possibilities on a subnet that actually has a handful of hosts, and anyway has a firewall in front of it.
They are going to get nothing, but they know that is probably the case and are
still prepared to try because eventually someone less careful than me will have left them a hole. If they're prepared to spend lots of money on a set of random non-targets with little probability of success, what are they going to spend on something that looks like it
might just possibly be interesting? Now, in that context, does a VPN with a known vulnerability look like they might consider it 'interesting'?
One clearly doesn't have to appear to be a worthwhile target (I'm certainly not, and there's no reason to suppose that someone would think I was) to actually functionally
be a target of this random style of hunting for something worth attacking.