Edit: Apparently it's not enabled by default. I tried brave some time ago and remembered that it was enabled, which promoted me to uninstall it immediately. Maybe it was enabled by default then, maybe I misremembered.
Having a VPN basically just means sending your traffic (albeit encrypted) to someone else's server, before sending it to the wider internet.
That means if you don't specifically disable it, everything you do in the brave browser could theoretically be logged, processed and analyzed by the owners of brave.
Even if the traffic itself is still encrypted, like with online banking, just knowing how many people in a certain city use which bank for example, could be very interesting to advertisers.
Depending on how evil they are, they could also log extensive amounts of user data, just waiting for the day it becomes legal to sift through it (just like a lot of governments do).
Or maybe they just log and sell your data even though it's illegal. Like a lot of companies do all the time (see Cambridge Analytical scandal etc.).
Or maybe they don't. But if I was a browser company I'd sure enjoy having all my users route all their traffic through servers I control.