Firefox’s free VPN will offer 50 gigabytes of monthly data, which is pretty generous for a browser-based VPN. A Mozilla account is required to make use of it, which isn’t a hardship (they’re free), but is a point of friction some may wish to know upfront.
So if they were going to do an attack like this, they wouldn’t do anything like the DH attack you’re talking about, they’d have a custom CA in the browser’s SSL root store. That root cert means they can generate a certificate for any website you visit, and that custom root cert would be how they decrypt your traffic.
Afaik there isn’t a current attack on proper DH key pairings, but you can’t block the custom certificate path at the browser level without some serious server side work/client side JS to validate