

VPNs as a technology might not be illegal but circumventing the firewall certainly is.
Unless you are very vocal and high profile person no one will black bag you in a country of billion people, lol.
This is a bit of a misunderstanding about how things work in an authoritarian system. Sure, you might fly under the radar for awhile, but if you call attention to yourself (say, by getting caught trying to bypass the government firewall) and you are not high-profile, then it is very low-effort to make you disappear. Few will notice, and those that do will stay silent out of fear.
If you are more high-profile you still get black-bagged, you just get released after, with your behavior suitably modified.
Naomi Wu no longer uploads to YouTube.
For individual projects the way this usually works is one of the larger companies that rely on the project hires the developer as an employee to maintain the codebase full-time and help integrate it with their internal processes.
Larger projects might form their own company and sell integration & support to other companies (e.g. Red Hat, Bitwarden).
Otherwise you’re basically dependent on donations or government grants.
There’s a Wikipedia article on this subject: Business models for open-source software
And there’s various industry opinions:
Demystifying the Open Source Business Model: A Comprehensive Explanation
How to build a successful business model around open source software
Open Source Business Models (UNICEF course)
I think monetization is easier for user-facing software though, which a lot of this material is written around, and harder for projects like libraries.