Not sure where you're getting this idea. I've never been on a VPN where services inside the VPN all just assumed I was allowed to be there. Internal services still at least required a username and password, and some would require 2FA as well.
I'm sure there are some VPNs that are implemented a poorly as you describe, but I'm not sure that's the common case like you seem to think.
I'm sure there are some VPNs that are implemented a poorly as you describe, but I'm not sure that's the common case like you seem to think.