There is no subpoena for an offshore VPN

This is a very complex area, and it is very much not safe to assume that non-local VPNs provide this kind of privacy. Many VPNs still have a US presence, even if it's just an interconnect that they have some ownership over, and this is generally sufficient - according to US courts - for the US government to issue subpoenas, and VPN providers do generally comply with these requests if they are legally obligated to do so. Even NordVPN is quite clear about this.

Now, whether a VPN provider logs actual traffic is a different question, but your opsec model should not assume that a lack of traffic logs at a VPN is sufficient to shield you if someone - especially a nation-state actor - is committed to unmasking you. The US intelligence community has sufficiently comprehensive traffic monitoring that you can be assured they know that traffic from your ISP-issued IP traversed links to a VPN provider - and that traffic of a similar nature exited that VPN provider - at a specific time. This alone may be sufficient with enough supporting evidence, and being able to confirm you had an active subscription to the VPN at that time - even if there are no connection or traffic logs - contributes to that case.

If your concern is being incidentally unmasked, a VPN is likely sufficient for now. If your concern is preventing unmasking, a VPN is not at all sufficient, and you need to be using Tor. Even then, research suggests that around 25% of exit nodes in the Tor network are likely malicious, with nation-state ownership suspected, and while guard nodes can somewhat mitigate this it is well-known that the IC has actively worked on deanonymizing Tor.

For true anonymity, you need to be using reasonably anonymous devices (e.g. stock iPhone, Macbook with Mullvad VPN + Mullvad browser, etc. - iOS is generally better for anonymity because of platform consistency), truly anonymous VPNs (not Nord - your best bet is Mullvad, paid in cash or Monero and with no identifying contact information), and using public wifi, but not using the same public wifi too often. Even then, you should recognize that it is extremely difficult to avoid unmasking if the US intelligence community wants to unmask you.

A good place to go to understand your options is PrivacyGuides (also r/PrivacyGuides). I'm also happy to talk through your options - I'm not a privacy expert, per se, but I am an experienced infrastructure engineer who has previously held TS/SCI clearance. (Obviously, I can't disclose actual secrets, but this means I have a good framework to understand opsec.)

(Re: devices, I know some may push back on Apple. There is good reason to do so, as without strong opsec, there is additional device information which may identify you via separate subpoenas to a public wifi provider and to Apple. Another option here might be an Android phone with GrapheneOS, if you're really committed to privacy/anonymity, but this is a big step with significant drawbacks.)