Hey Lee,
That is a great point and I agree that HTTPS is a secure method to connect to any website to protect the data between the client and server, it does not ensure the end user is applying operating system hardening techniques, we try to emphasize that in the larger scope of things if I can access your computer from the hotspot and steal session cookies, use-after-free vulnerabilities in the browser, "Remember me" option storing password info, remote-code exploitation-scenario being when you are using a password manager and it performs auto-logon, all I need is a remote connection and the password manager gives me access, installing software key loggers(capture your username and password then reuse it from my computer)...then HTTPS while a good start needs to be coupled with defense-in-depth such as antivirus/antimalware, updates, patches, the average user from these types of vulnerability exploitation.
In most situations you should be ok only utilizing HTTPS as your only method of securing yourself on a hotspot but there are still security concerns.
Best Regards,
Wes Bryan
Knowledge is a road to be traveled upon, not a destination to be reached~~