The main defense against VPN timing attacks is to ensure your VPN exit node isn’t somewhere that the same person would have access to as your connecting IP.
That said, if someone runs a website or service where you have a unique login or custom token and they have access to your ISP’s connection logs… a standard VPN will once again give you away. This is why TOR exists.
I generally argue that an exit VPN doesn’t really provide much privacy; the only real services it provides are georelocation and protection against low effort bulk filtering (eg, identifying torrenters or bulk metadata collection).
For everything else, either encryption and third party DNS is enough, or the exit VPN isn’t enough to stop targeted surveillance.
I’m at 15.9 bits of info and an almost fully unique browser. Of course, that uniqueness changes every time and they don’t test for that.
I’m on iOS.