Short answer
Reading wallet balance on public Wi-Fi is acceptably safe due to HTTPS encryption. Signing transactions or entering passwords on public Wi-Fi is risky and should be avoided when possible. The main threats are over-the-shoulder shoulder surfing (looking at your screen) and the rare hostile-AP attack where the network operator runs man-in-the-middle. For non-trivial transactions, switch to cellular data; for routine balance checks, public Wi-Fi is fine with normal precautions.
What HTTPS protects
HTTPS encrypts everything between your browser and the exchange/wallet server. The Wi-Fi operator sees only "your device is talking to coinbase.com" and the volume of encrypted bytes — they cannot read your password, balance, or transactions. This was not true pre-2016 when many sites used mixed HTTP/HTTPS; today every regulated crypto service uses HTTPS-only with HSTS, and modern browsers enforce it.
What HTTPS doesn't protect
Shoulder surfing. Someone sitting behind you reads your password as you type. This has nothing to do with Wi-Fi but is the most common public-place credential leak. Use a privacy screen, sit with your back to a wall.
Malicious DNS / fake captive portal. The hostile Wi-Fi could redirect coinbase.com requests to a fake clone. Modern browsers detect the certificate mismatch and show a warning; many users click through. Defense: never click through HTTPS certificate warnings.
Hostile access point. Someone runs a Wi-Fi network named "Free Coffee Shop Wi-Fi" near a coffee shop. You join the fake one. From there they can attempt MITM on specific apps. Defense: verify network name with the venue, use VPN if uncertain.
Side-channel observation. Sophisticated attacks can sometimes infer what site you're visiting from packet timing patterns, even through HTTPS. Not a practical threat for retail users; mentioned for completeness.
Practical risk tiers
Tier 1 (safe on public Wi-Fi). Reading the exchange app for balance check. Reading market prices. Sending a notification or message.
Tier 2 (acceptable with care). Logging in (with Passkey or hardware key 2FA, not SMS). Checking transaction history.
Tier 3 (use cellular instead). Setting up new 2FA. Changing password. Entering seed phrase. Signing on-chain transactions for non-trivial amounts.
The VPN consideration
A VPN tunnels your public Wi-Fi traffic through the VPN provider's server. This protects against the hostile-AP and hostile-DNS attacks. But VPNs introduce their own trust dependency — the VPN provider sees what you're doing. Use a reputable paid VPN (Mullvad, Proton, IVPN); free VPNs sell your traffic data.
For US holders, a $30/month unlimited cellular plan (T-Mobile, Visible, US Mobile) is simpler than VPN-on-coffee-shop-Wi-Fi and eliminates the entire concern.