Camera could be taking pictures of QR codes to make it easier to set up a VPN.

Bluetooth could be integration with things like Yubikeys for authentication.

Dunno if that's what they're actually for, though.

I don't get why the entire world isn't on Mullvad.

I don't trust these guys at all. I trialed them and despite their full money back guarantee, they locked me into a support loop, always switching support staff with boiler plate responses and links that dealt with account issues or whatever. It wasn't until I left a stern reply demanding the refund or I would escalate the matter with the proper regulatory bodies.

It took 4 support tickets. To me, they came across hella shady.

What kind of VPN would need those permissions?

The one that Edward Snowden (yes, that one) publicly and explicitly called out that people shouldn't use. I won't rehash it here, but it's worth reading about.

I use Express VPN and the camera permission is relatively new as I don't have it enabled and it's never asked me prior to enable it. I dug through the app and found it within their new password manager when you add a new credentials it offers you to help setup 2FA with the major providers and you can optionally scan a QR code with it so it's a benign convenience feature.

Bluetooth on the other hand I cannot explain unless it's to proxy any connections Bluetooth devices might make.

Not an endorsement of ExpressVPN, I've learned to avoid companies that sponsor on youtube. However, I believe you don't need the proprietary app to use the service, you could use a free software OpenVPN client such as this one.

They do offer support for OpenVPN although, unsurprisingly, they heavily push their proprietary client as the preferred way to use the service. This alone would be enough to discourage me from using it or recommending it.

Dunno about Bluetooth, but isn't Expressvpn pushing their new password manager? I imagine it's a separate app, but if not, then it would make sense to have camera to read 2FA QR-codes.

Edit: from their site:

Keys comes included in any ExpressVPN subscription and is built right in to our apps for iOS and Android.

Yup, that's got to be the camera. Still not sure about the Bluetooth though.

There are Bluetooth FIDO security keys out there for 2FA, like: https://thetis.io/products/fido2-ble-security-key. Some implementations can also use a phone, running an app via BLE. Not sure if they use it, but that could be one reason it's asking for that permission.

Camera permission may be needed for scanning QRCodes to set up 2FA.

If handfuls of youtube sponsor callout videos has been proof of, is that you should never use a service advertised on youtube.

I prefer mullvad. Not only is their pricing and account system much more privacy focused, they are a European (Swedish) company and are bound by the laws of my country by default. Another European one is surfshark (Dutch) which I used before. I trust mullvad more though. They also have open source clients and had no user data stored when they were raided once before.

Edit: clarifying the reason I used surfshark. I used it back when I was in high school a few years ago, so their 3 year plan seemed like a very good price. They also supported this very obscure VPN protocol whose name I can't remember, and my school just so happened to have forgotten to block it on their network. But I couldn't use that protocol on Linux due to incomplete connection steps provided by surfshark, and I switched to using linux full time in the second half of my first year, so that was a waste and I just used my mobile data.

probably qr scanning
bt for FIDO

In the mobile space, there are Chinese calculators apps on Androids by manufacturers that require internet access...

deleted

lol

Don't use ExpressVPN, they and others make money off of your data.