I am a full-stack web developer; responsible from everything from the server administration to a site's front-end interface. Here are some observations after reading through this thread:
1) HTTPS is becoming more and more ubiquitous daily. Traffic between server and client is encrypted and secure by any reasonable standard.
2) Not all sites providing the "S" in HTTPS are good actors; but if they're bad actors it doesn't really matter if you're at home or Starbucks.
3) A malicious WiFi network (or a bad actor who's compromised an otherwise honest WiFi network) can spoof DNS queries, sending you to fraudulent locations instead of the one you intended. This, not HTTPS, is what I worry about.
4) Using a VPN while in public (which will encrypt all traffic, even DNS queries); or at the very least using a DNS server of your choosing (ie. Cloudflare's 1.1.1.1, bypassing the public DNS server, whatever that may be) is probably a smart, just-do-it-and-don't-overthink-it thing to do. I use ProtonVPN (free) for the scant amount of time I need to do something on my phone in public. If my public WiFi use was anything more than scant I'd pay one of the handful of really reputable services a few bucks a month.
If you're pathologically paranoid, more interested in security than you need to be, and enjoy becoming red-faced with rage when trying to get anything purposeful done, someone earlier mentioned TAILS and Tor. Have at 'er.