There is a risk when using public WiFi networks that your internet traffic is being spied on by somebody else. Let me explain...
When using a public WiFi network, somebody with malicious intentions (an attacker), can easily spy your internet traffic by using easily accessible tools (such as WireShark). It's even easier to do this when the WiFi has no required password to join. The attacker can simply start collecting your traffic because your unencrypted data is being broadcasted all around the network.
It's a much safer idea to use a secured WiFi connection (with a required password). Although, when connecting to a secured WiFi network, your device shares an "encrypted" version of the password to WiFi access point to prove that you have access to the network. This "encrypted" password can easily be captured by an attacker as well. The only problem for the attacker is that the password is "encrypted", meaning if the attacker wants to extract the password, they have to use a program that takes hundreds (or thousands) of passwords every second, then "encrypts" them, then compares them with the original password. If the two match, then you have successfully cracked the network's password. The longer the password is, the harder it is for an attacker to crack.
Whether you're using a public, or private WiFi network, if the attacker is already connected, they're able to capture your internet traffic. So, the two ways to prevent a potential attacker from capturing any sensitive data are,
When surfing the web, make sure that the address in the URL bar says HTTPS and not HTTP. The "S" in HTTPS stands for Secure. If you're using a website that is insecure (using HTTP) an attacker can literally capture everything you put into any input fields, such as usernames, passwords, credit card numbers, etc.
If you use a VPN, an attacker will not be able to view any of your traffic. This is because VPNs encrypt your internet traffic before sending the data through the network. This means that while an attacker can still capture this data, it's close to impossible to decrypt the actual meaning of it.