Well, basic understanding of basic network architecture would come in handy here.
to avoid MitM attacks in a public network, given the additional layer of encryption the VPN adds
The internet is just a bunch of computers (or rather, servers) communicating with each other. You could connect directly to the internet, however the servers needed to achieve this would take a lot of electricity and the required hardware is expensive
This is where you ISP (internet service provider) comes in. They give you a router (you do know what a router is, right?) which connect to there internet hub (the expensive hardware)
Your router is identified by an IP-address (known as external IP-address) which is a unique string of numbers.
so the route of a network request + response to facebook would look something like this:
computer -> router -> ISP server -> Facebook server -> ISP server -> router -> computer
A request has to go through ISP, so if the ISP decide to block something, there is no way to that server.
Unless you add VPN which has unrestricted access, because then you get:
computer ~> router ~> ISP ~> VPN -> Facebook -> VPN ~> ISP ~> router ~> computer
~> indicates VPN encryption, so the ISP can’t see what website your request, bypassing blockage. To the ISP, it will look like you make a request to the VPN server, which isn’t blocked
but if the VPN is in the same network, the request from router to ISP won’t be encrypted, and the ISP can block it
certain things within this example are simplified.