If Steam is providing a shipping label then he almost certainly does. Most companies will eat the cost of shipping mistakes but that doesn't mean you're legally allowed to keep items mistakenly shipped to you.

This just feels like fear mongering to sell VPN subscriptions.

Unless India is running some huge man in the middle attack on HTTPS certificates then it's not technically possible for a government to spy on you without cooperation from whatever site you're using. It's really only DNS lookups that are unencrypted in normal web browsing.