They look like that because their sole intent is to trick people into buying the paid version. Their misleading nature is very much intentional.
I have a firewall, just not the Avast one. I have a VPN, just not the Avast one. My traffic is encrypted. Still I get these alerts because Avast deliberately ignores that and tries to scare us.
When I visit my bank online, I'll often get one of these. "Bank details exposed!" No! No they aren't Avast! It is unsettling how it shows up right that second. And Avast also better only keep a local list of urls to compare to for these, as it is none of their business what sites people actually visit. That may contain political, financial, religious, or otherwise personal information to which Avast isn't supposed to be privy*
* With all 'send info to Avast' disabled I should not need to expect Avast to log visited urls. I understand some of the default installed optional shields do checks against online databases, and some of the shields in de paid version (like real site), but I run none of those. Just mail shield, file shield, and web shield. Plus anti-rootkit/exploit. Nothing more.