the VPS provider can always get their own certificates for my domains and do a MitM attack.
You can limit which CA’s will offer certificates for your domain with the CAA record in DNS. You can also at least detect if someone else creates a certificate for your domain if you watch the certificate transparency logs.