No, not usually. Few ISPs are willing to risk blacklisting.

Just like scrapers (and a lot of VPNs are quietly using their custom VPN clients to sell your own IP [and data] to scrapers) it's mostly a "don't ask don't tell" situation for IP sourcing. You use a multitude of IP providers and if a scandal happens you just say "We didn't know!" and move on to the next. Almost always grey-market, very rarely through legitimate providers.

Mullvad in particular has a page that lists the ISPs they use (in a few cases their own servers at a datacenter), although they don't list the datacenters (sometimes you can get this info from the ISPs).

https://mullvad.net/en/servers

They also have a document that lists some of their practices around the servers, such as not using shared servers:

https://mullvad.net/en/help/server-list

I noticed that the website of one of the two providers they use near me was over a decade out of date :/. DAITA is Mullvad's anti-traffic analysis framework, without it a single hop can likely be easily deanonymized by logging by a single party (it isn't clear if multihop uses fixed packet sizes between their servers).

Some VPN providers don't even have exit nodes in the country they're claiming. Instead they'll have their IPs registered to the respective countries in GeoIP databases.

This isn't a practice all VPN providers partake in. And from my own anecdotal experiences, Mullvad seem to be using services that are geo-located (I say this because I've tested latency between different endpoints in Mullvad). But it is something to be wary of with some of the less reputable providers.

Not retail ISPs, but many extensions and free VPNs route VPN traffic through the connections of those who use them.