VPN is for when you're trying to conceal your physical location or conduct business without secure encryption.
The way you avoid trouble is to make sure you use a modern web browser that supports TLS 1.2 or later encryption. SSL encryption was deprecated about 3-1/2 years ago so it should be avoided. A modern web browser and a conscientious bank or vendor will allow you to scramble your financial exchanges using TLS such that it is very, very hard to get in the middle.
To make sure nobody can log in easily as you, use two-factor logins that require some interaction between you and the vendor (typically via text, voice message or e-mail) to set up.
Never (and I mean NEVER) use a web search to find the access point a secure website. If your browser search (or the search engine itself) is compromised, it may take you to a doppelganger site that collects your credentials. Type in the the site name fully and directly into the URL bar of your browser or better yet, use your browser address book to capture addresses and visit sites. DO NOT TYPE URLS INTO A SEARCH BOX (unless you have one of those idiot browsers that combines the two -- something I don't recommend).
Finally, I recommend using a password manager and generate arbitrarily large random passwords that you change occasionally.
I (for the most part) never ever ever use public wifi, I've always used a 3G/4G cellular USB modem or cellular hot spot to connect when away from home.
My router has VPN capabilities (SSL VPN, PPTP, L2TP, 50 site to site tunnels) the two or three times I've used public wifi due to no or poor cellular reception, I connected to my home VPN. I have Cisco AnyConnect set to route all traffic through my home connection when connected to the VPN. As a side benefit, something like Spectrum's streaming TV service, where a lot of channels are not authorized to be accessed out of your home network, can be streamed while connected to the VPN, since all traffic is routed through it.
I wouldn't waste my time with a commercial VPN for what you want it for. An up to date OS, with an up to date browser, decent security software, being behind a router with the firewall enabled, long strong passwords that you change on a regular basis with 2FA is more then sufficient. Plus behavioral habits like not clicking links in emails, but if you have to, hover over the link to make sure it's going to where you think it's going to, don't install software, plug ins or browser extensions that you don't need or aren't familiar with. And if you participate in the cesspool of social media, don't post personal information. Since people post their entire lives online in graphic detail, a little social engineering is all that's needed to figure out a lot about you. The answers to all of my secret security questions for various online accounts are all 100% lies. Even though I don't use Facebook, Twitter, LinkedIn or any of that other crap, my mothers maiden name is public information, the city I grew up can me narrowed down to a small handful by doing a simple Google search.