When it comes to Droplet access, DigitalOcean isn't able to physically login to your server from their end -- this is even more so the case when you're using SSH Keys instead of just a password.
If you lock the
root user, create a
sudo user, and then create a 4096 or 8192bit SSH Key for login, there's basically one way in unless somehow someone manages to crack a 4096 or 8192bit key. If someone has that much time, then you've got bigger issues -- that, or your server is hacked due to some sort of security issue stemming from packages or software in general being out of date.
Generally, the last issue isn't an issue if you stay up to date and if you're using SSH Keys, logging in using the console is no longer a valid option (with the
root user locked).
In terms of logs, if logging is disabled on the VPN service, and the VPN is properly setup, encryption would be to and from the VPN and logs would not exist. With proper setup, this shouldn't be an issue either.
That being said, one other party plays a role and that'd be your ISP. Since encryption is two-way, they would have to physically intercept and decrypt the traffic. If SSL is correctly setup, this shouldn't be a concern either. It'd take far too many resources (which even at scale, your ISP doesn't have) to sift all data from all customers and then decrypt it.
If you're overly concerned, I'd recommend looking in to StrongSwan as a VPN. Of course, there are upsides and downsides to both (comparing StrongSwan and IKEv2/IPSEC to OpenVPN), so you'd have to find what you're most comfortable with. Both are, at the end of the day, secure ways to connect when you want sensitive data encrypted.
NOTE: Since there's some back and forth on whether 4096/8192bit keys are worth it, if you lean towards the side that sides with little gain being the result from their use, there's also elliptical curve cryptography. It all depends on what your SSH client will support (as not all support both RSA and ECC).