If someone was snooping they would only see what website I go to right? However, username and password are encrypted via HTTPS right?
Quality HTTPS will protect you in most situations. Under no circumstances should you accept a security certificate offered by the access provider (this allows man-in-the-middle, or free access to your underlying traffic regardless of HTTPS). This isn't available for Safari on iOS but you can reasonably trust safari to use HTTPs.
Heres what you need to do: Install HTTPs everywhere browser extension. Browsers look for bad HTTPs floating around, and this browser extension forces your connection to HTTPs if a website supports it. They also keep track of major websites security certificates in order to detect if you're being served something fishy.
If you're connecting to a reputable email provider (gmail, microsoft etc) and use HTTPs everywhere, you're fine in most scenarios. The cryptography used when you connect to gmail is the best that humanity has. No one is breaking it, even if they record your traffic.
I vehemently oppose using commercial VPNs for lots of reasons. I run my own in the cloud using
Algo VPN for $4 a month. There are other measures you should take to protect your device while browsing because our modern web
sucks but that could derail the thread.