Shank

Your intuition is correct. The exception is that DNS will, by-default, be sent to the default router DNS servers, which might monitor/track what you do (most ISPs run DNS that do this too), and unencrypted HTTP. Unencrypted HTTP is more and more rare as time goes on.

Most of the "shame on public WiFi" comes from VPN companies, which are just trying to fearmonger into a sale. Sure, DNS over HTTPs isn't as widespread as it should be. Sure, some websites aren't encrypted, still. But that doesn't mean that routing all of your insecure traffic to a VPN provider so they can handle it instead is going to increase your security. It just moves the threat model from "your public WiFi network and people on it" to the VPN provider.

If you really want to be safe, you could run your own VPN with algo (https://github.com/trailofbits/algo) or manually setup WireGuard and route traffic e.g., back to your home ISP, instead. That's probably my best suggestion, rather than using any of the cliche VPN providers that advertise everywhere.

j1elo
Just curious: Any practical difference between Algo [0] and PiVPN [1] from someone that has tested them? Both seem to support Wireguard.

[0]: https://github.com/trailofbits/algo

[1]: https://pivpn.io/

I just learned about Algo but have been a long time user of PiVPN (from when they only supported OpenVPN!) on my Raspberry Pi, so in the case that I wanted to reinstall the server, I wonder if the change would bring something new to the table.