- Use strict https only.
- Use your own encrypted DNS-Provider or your VPN DNS. But don’t use the DNS you get from the open Network.
- Activate your firewall and check if local (the local wifi network) network isn’t allowed to connect to your device.
- Use A VPN with a Kill switch enabled and if your Provider supports it enable something like Mullvad Lockdown mode aka. always on VPN.
- In addition I would avoid turning on Bluetooth or NFC (disable it if you can)
Is HTTPS enough or should I be doing more?
Not really since the DNS-request could be read and manipulated (if you don’t use encrypted DNS) in addittion the Client hello of an https connection is not encrypted, so it is possible to to see or manipulate the website you visit even with DoH.
Edit:
In addition I would also try to ensure that MFA is everywhere active and nobody looks over your shoulders while you type your passwords.