Technically DNS will let you look up a host name from an IP address, but the catch is that it might not work: it’s not automatically configured. And even if it is configured you might not get all of the host names pointing at that address.
Very many webserver operators don’t bother adding the server’s host name to reverse DNS. For example, lemmy.world’s IP address does not map to any host name in reverse DNS, and google.com’s IP address maps to some completely different name for me, with no mention of Google in the returned name.
Also, many websites can be served from the same IP address, especially if they are hosted in the cloud. You are correct that someone snooping on the connection would still see the IP address, but if that points them at something like a webhosting company or a CDN (or some other server hosting many different sites) it still doesn’t really tell them which specific site is being accessed.
But yes, if the site you’re accessing is the only one hosted on that server then the snoop could potentially guess the host name. But even then: how would they know that’s the only site hosted there? If some site they’ve never even heard of uses the same IP address they would never know.
Without a VPN every host you connect to can approximate your location down to a few miles.
I just tried a few geo-IP lookups of my current IP address, and they all point to a location that (as the bird flies) is almost exactly 100 miles from my actual location. This is despite the ISP I’m using being headquartered in my current city, but maybe they have some infrastructure there?
On mobile data I instead get a location 90 miles away, and if I look up the IP address of another machine I know the exact location of, the result is 60 miles off.
60-100 miles is a pretty generous definition of “a few”.
You forgot one: