Public Wi-Fi is fine, mostly. The problem is the small percentage that injects ads into HTTP, runs a captive portal that logs more than it admits, or sits behind an enterprise SSID with broken TLS interception. You don't know which one you've joined until something behaves strangely.
The pragmatic posture: tunnel everything when on networks you don't control, and stay direct on home and work Wi-Fi where the network is yours. QPOL Android lets you set "always-on" with auto-trigger by SSID — join your home network, no tunnel; join an airport network, tunnel comes up before any app sees the network.
Combine this with split tunneling for the apps that misbehave behind a VPN — your bank, your local government services. They stay on the carrier or local Wi-Fi; everything else routes through QPOL. A hotel TV remote that needs LAN access to the room's Chromecast — keep it direct.
For frequent international travel, "home" might not be a single SSID. Configure trusted-network rules by either SSID list or an explicit "tunnel by default" with manual exceptions. The latter is safer.