Yes, every modern browser warns by default when using an insecure website (unencrypted, encrypted with an unknown certificate, and other reasons). The point is to make it as difficult as possible for people who don’t know what they’re doing to access insecure websites. Usually the option to ignore the warning is hidden behind small “Learn more” or “More options” clickable text, which then reveal the button to ignore the warning.

If you use any of the big browsers, you’d need to have a very outdated version to not have that by default.

A VPN does help with privacy, yes. A different DNS than the default one can help with privacy as well, considering that the default one is usually your ISP’s own DNS, and the DNS you setup can see the domains you visit.

DNS over HTTPS is the encrypted alternative I was referring to, yes. Having it configured is best, but it is rarely the case by default. Most VPNs automatically setup their own DNS, usually over HTTPS, when they’re on, which is why I said it usually completely fixes the issue.

I don’t think anyone who is not particularly worried about privacy should worry about having custom DNS setups or VPNs for anything other than spoofing your location (or eventually some side features like blockers, but that’s not really part of the VPN). Changing the DNS configuration is an easy and free step though, so if you want to worry about the privacy of people around you, setting up a more private DNS, and over HTTPS, is not a bad idea.