HTTPS solved much of the security issues of untrusted networks. As long as you’re not doing banking or whatever, you should be fine without a VPN.
It should be fine as long you don’t click through any SSL errors. And something like a bank should have HSTS enabled, meaning your browser will refuse to load the site if there’s an SSL error.
They don’t let me choose a password longer than 6 characters. I don’t assume anything about my bank’s security.
Why would banking be an issue? I get that its a target, but I really would expect a bank to take care of their TLS.
Also i would expect banks to use some sort of 2FA where you have to manually confirm any transaction on your mobile device, or enter a code generated from there into your computer.
No security measure is perfect. When doing security-sensitive things, it’s better to wait when you’re home on an uncompromised network.
But yes, the chances of something happening is very small, even when using an unknown network.
Personally I do a Tailscale tunnel to my home network, if nothing else but so that services don’t log a hotel IP
