Of course not, the malware comes from the token rings...

That said though, the actual point was that you can't know or really vet that MyCafeWifi and MyCafeWifi are both legit, or know that one is legit and the other is someone doing a MITM faking an access point. So using a VPN when you do connect to MyCafeWifi is just an added layer of protection.

As for the assumption... I hope so, but you don't necessarily have to think you're a surveillance target, for instance, maybe the Chinese intelligence apparatus can decrypt traffic passing through my VPN, and likely they do not care, but when I'm in China I absolutely do not connect to anything without a VPN running.

Fun experiment. Go to a hotel with a travel router and give your travel router an SSID that is eerily similar to the legit hotel WiFi. Maybe something like "Marriott_Guest" vs "Marriott-Guest" and then just wait and see how many people try connecting to it unaware that it's not the right AP.

But yeah, 99% of all people really do have little to worry about that TLS doesn't already address, and like I said, personally I lean more to the paranoid side of things.