I'm not an expert on Nord specifically, but let me see if I can help sort this a little.
I can say in general if you are using an "app" and the other party is using the same "app" that you might have an expectation of privacy.
BUT you did bring up an interesting point about the time when a message "drops down" from the internet provider...that point could be a problem...because you can't trust your provider to not be snooping on you.
So encryption protects against that. Even if "they" get the message, it will just be gobbly-gook. The VPN protects you from casual snooping because somebody looking at your traffic can't see what you are doing. But you are trusting your VPN provider as well because they can see where you are going and who you contact.
Some use onion routing and TOR because it's free and a good way to begin...but you're putting your trust in the end-point server to not be snooping. For some strange reason, a lot of TOR servers are in Arlington, VA. Oops, that's not good.
That's why you need encrypted messages, even if your messages get stolen, leaked or whatever, the bad guys still can't read them.