If it’s an open WiFi (no WPA password) packets are not encrypted anyway, so anyone on this AP can easily see everything that comes through it. A decade ago, when most websites allowed plain HTTP, there was a Firefox extension which let you hijack the Facebook or Twitter session of anyone connected to an open WiFi with a couple of clicks.

Nowadays everything is hopefully encrypted at the application level, so while attackers can see where the data goes, they can’t actually read it.