Proton is trying to do too many things and can't excel at doing one thing. It's getting too big beyond its capabilities which means services are going to suffer at a lower quality.
If the want blanket trust from users, remove the VPN login to make it anonymous and change the VPN code to remove all anti-features and comply with native F-Droid, other RiseUpVPN is the only choice for everybody to use.
I have to admit that I don't know enough about any of this to be sure I'm reading in the right way. Is it "known malware, free VPN" or "known malware-free VPN"?
It's one of the most transparent services, there's this neat video examining the available free VPNs by Techlore that was coincidentally made very recently: peertube/piped
Accoding to F-Droid build service, it says ProtonVPN depends entirely on non-free network services, which means:
"This Anti-Feature is applied to apps that promote or depend entirely on a Non-Free network service which is impossible, or not easy to replace. Replacement requires changes to the app or service. This antifeature would not apply, if there is a simple configuration option that allows pointing the app to a running instance of an alternative, publicly available, self-hostable, free software server solution."
Compared to RiseUpVPN source code which has zero anti-features
It's the combination of requiring Proton servers and the fact that that there is no public release of server source code or specifying which open source software runs on Proton servers, amount to a type of vender lock-in
RiseUpVPN uses OpenVPN from Bitmask so everybody can duplicate the service using their own custom build version of OpenVPN to connect to RiseUp servers so their server's code is publicly accessible.
you can do this with proton servers as well. they offer openvpn and wireguard. iirc, the "non-free services" is because the "Alternate routing" feature in proton apps routes over Google servers. if you disable this option it goes directly to their servers.