Thunderbird is no longer a less secure app as far as Gmail is concerned. Tbird has had support for Gmail's OAuth2 secure authentication protocol for quite a while now, so you no longer need to use an app-specific password or turn on access for less secure apps on Gmail. Sounds like you're not running the latest stable release of Tbird (68.7.0 as at now).

You have to set your Gmail account to allow access for less secure apps in order for Thunderbird to work.

No you use oauth authentication in Thunderbird. It does require you to change your authentication methodin account settings.

Thunderbird fails to connect to gmail when I have my VPN turned on.

And that is how it will stay. The very first thing you have to be aware of is a VPN spoofs you location and IP address. Google use that information to determine it is you. You log in with your VPN and suddenly your connecting from Russia or Outer Mongolia or wherever the exit point of the VPN to the internet actually is. That has nothing to do with Thunderbird and everything to do with your VPN. I suggest you approach the provider for assistance with googles access monitoring.

Google responds that an unknown attempt was made to log in to your account and you account has been locked. I have Two gmail accounts: one fails all the time, the other works thru my VPN. This does not make sense either as the settings are exactly the same. I can only access the one account when my VPN is off. With all the phishing, spoofing, prying gov't eyes etc. I would like to leave my VPN on all the time.

Lets get this very clear. a VPN allows you to send data and receive data through the VPN's end point somewhere out in the internet. However the secure encryption that is so loudly prompted ends at the end point. So when you sign into face book, they still know it is you. When you use Google they also know who you are. by using a VPN you provide them with a new data point. your VPN end point. So Facebook, twitter, google Microsoft and probably a hundred other private companies know you as you and associate the VPN end point with you. Then you have to consider your anti virus program is probably decrypting all of your VPN traffic upon receipt (Most register themselves as certifying authorities so they can corrupt the SSL/TLS certificate stack and decrypt everything "for your protection".

Now if you wanted to "bug" someones traffic, the obvious starting point in their computer. Where everything is already decrypted for scanning. A very good move in the USA would be a FISA warrant under seal requiring your anti virus provider to remotely re transmit all that unencrypted traffic. If you are in Australia or the UK you don't even need a court order for snoops to get access on demand.

Or they go to the commercial companies you have logged into to determine your VPN endpoint and monitor that IP address. a VPN (Virtual Private Network) it a truly wonderful thing, if you are at home and want to log into a corporate network, you fire up your VPN, and the tunnel routes into the private (corporate) network and no one ever get to see the information on the public internet without it being encrypted.

If you have an interest in security, I suggest you rely on public key encryption for email (enigmail et al and secured connections from your local device (TLS/SSL) these are not perfect, but they do provide an encrypted connection between your IP address and the remote server.