Historically, people have gotten caught with their hands in the cookie jar while using tor. Most of the documented cases have been from DNS leaks and the like through targeted attacks.

Theoretically it’s possible to own enough of the intermediate and exit nodes to collect meaningful data about who’s using it and where they’re going. It’s just very difficult and expensive.

I only give it maybe 50/50 odds let the feds have this power, but that’s not particularly rosey for a security product.

From the backbone perspective,VPN traffic absolutely gets monitored on the way out, and they can probably tell everyone that is on the VPN provider at the moment. But timing attacks are rough through a busy crypto tunnel. Your protection basically rolls down to whether they’re keeping logs, whether somebody’s monitoring the backbone around them, and if there’s any point in time where the traffic on the VPN is low enough that they can correlate traffic in with calls out.

Unless you’re pissing off the feds I doubt tor is any better off than VPN.