Is it how StingRay work? My understanding is that it’s about faking being a legit tower, not compromising a legitimate network.

Depends, as usual, on your threat model. I do not know where you live, where you went, what you do, who you are and thus who you worry about.

That being said :

• if you rely on someone else hotspot well you delegate the risk too. If they relay your traffic they can still shape or monitor your traffic. Obviously I would not expect your family member to do that… but if you are being monitored and there are data showing that you are not at home or work (wherever you usually are) and other data you are traveling together (e.g. plane tickets, border control with IDs checked, connection to services with different IPs) one could expect your surrounding to be potentially targeted. That is one extra hoop and it might protect from “shallow” surveillance but I would not be so sure.
• SIM main problem in your situation IMHO is KYC, basically that you can’t buy one without an ID and thus if you have expectation of anonymity regarding the provider of the SIM then it is not viable indeed.
• eSIM AFAICT do not enforce KYC (no scan of ID to send) and typically offer to purchase a SIM outside of the country one is visiting, unlike physical SIMs. Sure they might share ICCID and more but unless that piece of data is linked with your actual name then it might not be a problem
• honestly if you worry about “weird hacking attempts towards me from the government” then you better know a lot more about cybersecurity than I and random people on the Internet do. It’s one thing to worry about mass surveillance, with or without BigTech, but if a state agent is paying actual security professional to hack your devices or accounts then it’s another ball game entirely.

Depending on where you are travelling to and from, you can often get an anonymous prepaid SIM card. That is what I do: buy one with cash, put it into a MiFi router, and only switch it on when I need internet. That way I stay off the records of whoever else is with me and I am not relying on their identity as a shield. I have not found an eSIM provider that gives me the same level of anonymity, so I have avoided those.

If you really have to register a SIM with your identity, it depends on the situation. For example, if you buy a SIM in the EU, activate roaming, and then use it in Mexico, the Mexican authorities can’t instantly demand your subscriber info from the EU. On the other hand, if you or your family buy local SIMs while showing ID, then travel together and check in to hotels together, it makes little difference whose SIM is whose. For Mexico specifically, you can walk into an OXXO store, pay cash, and get a prepaid SIM with a data package, no ID required. Many countries have similar cash options so you check ahead of time.

About whether the worry is justified. The type of surveillance you mention, such as stingrays, requires both strong capability and strong motivation. If a government wanted to, they could stop your entire family at the border before you ever left. But from what you describe, you are just a foreigner who might pass by a protest. That is unlikely to trigger the level of targeting you are thinking of.

Still, I would not call it “in vain.” Building habits that protect privacy and understanding how information flows is always useful. But if you can get a prepaid SIM anonymously with cash, it is usually a cleaner option than tethering from family.

By having a physical SIM or an E-SIM, your ICCID and other data is transmitted directly to the tower, so using your family’s hotspot was the better option in that case.

Anything connected to the cellular network should be considered compromised, it doesn’t matter if you’re using a SIM from your own country or a local one if it goes through towers of the country you’re visiting.

If you’re so concerned, turn on airplane mode before leaving the network you trust and take a separate device for sharing internet over Wi-Fi or Bluetooth.