Is public Wi-Fi a threat nowadays?
Public WiFi is still insecure, and it will always be if not used together with something like a VPN.
- Many websites use HTTPS, but not nearly all. In fact, more than 30 percent don't.
- Only around 5 percent of websites use HSTS. And it's still trust on first use. If the max age is short, that first use can be quite often. Let's face it, even if you are a security pro chances are that you would fall for SSL strip anyway. I know I would.
- Just because you use HTTPS doesn't mean you do it right. There's still lot of mixed content out there. Many clients still support old versions with known vulnerabilitites, so an attack doesn't have to be a zero day to be successful.
- Even if you use HTTPS, you leak a lot of of information anyway, such as the domain you visit, all your DNS traffic, etc.
- A computer or phone uses the internet for more than just browsing:
- All it takes is one app that has bad (or no) crypto for its update function and you are owned.
- All those apps you gave permission to access all sorts of personal data... They are phoning home constantly and you probably have no idea what data they are sending and what if any crypto they use.
- Dancrumb has more examples in his great answer.
- Defense in depth.
A VPN is cheap and it is still a low hanging fruit when it comes to security.
I'm a little surprised that nobody has pointed out that there's more to the internet than HTTP.
Even if your claims about HTTP(S) and HSTS were correct (and other answers discuss that), you're forgetting POP, SMTP, IMAP, FTP, DNS, etc. None of these protocols are inherently secure.
Another difficulty of public wifi access is that you are on the same local network as other unknown actors. Any misconfiguration of your local network permissions can lead to an intrusion into your device. Maybe at home, you have configured shared data on your local network. Now, everybody on the same wifi access point may have access to those shared data. Most often, this protection is assured by a firewall (whether at the office or at home), and you consider the local network more secure than the naked internet. But this time, you may be on the same local network as an attacker.