Does disabling install scripts actually do anything though? The attack would still work if put in the code itself, no? The only difference I can see is that it would run when the project is run instead of when the package is installed.

Instead of your ISP seeing every site you go to, a different company sees every site you go to.

VPNs have their uses, but avoiding surveillance is not one of those uses.