Mitm is still pretty trivial to perform from hotspots, even for supposedly-https websites. There's a dozen ways I can inject traffic into your browser, whether on the initial connection to the site you want, or in one of the many non-https connections from 3rd party content loaded into practically every website on the internet. This isn't even taking into account the vast number of attacks on https clients and protocols.
Second, nobody is trying to inject traffic in your browser on a hotspot. Nobody. Nobody cares about your connection. There is no secret cabal of hackers sitting at every airport and starbucks waiting to steal your Facebook login. They don't give a shit. You are the tiniest small fry, and they have much easier ways of committing cybercrime that pay out much better and provide them better intel.
And yes, if I want to make sure i'm secure, I use a VPN. I assume all public browsing sessions are hijackable.
Second, nobody is trying to inject traffic in your browser on a hotspot. Nobody. Nobody cares about your connection. There is no secret cabal of hackers sitting at every airport and starbucks waiting to steal your Facebook login. They don't give a shit. You are the tiniest small fry, and they have much easier ways of committing cybercrime that pay out much better and provide them better intel.
And yes, if I want to make sure i'm secure, I use a VPN. I assume all public browsing sessions are hijackable.