Your sarcasm is clearly masking extreme ignorance as to how the Web, the Internet, and computer security in general work, but I'll bite for one comment. Beyond that, feel free to do your own research (there's a website called google.com on which you can type "why is unsecured public wifi risky").

> Sniff the packets? Oh no, they found out what websites I visit

Leaving aside the obvious attack vectors of spoofing the access point or compromising the router, packet sniffing itself presents vulnerabilities. One of the primary reasons that defense in depth is a fundamental principle of network security is that a single browsing session interacts with a gargantuan number of different actors[1], and the odds of multiple gaps lining up is nonzero.

While you're checking out this Google website, look up what a "cookie" is in the context of the Internet. You may have noticed that you don't type in your password during every web request you make to a website logged in to, because you send cookie data instead that consistently identifies your different requests as belonging to the same session. Cookies are not encrypted with nearly the universality that passwords are, and an attacker with access to your cookie can impersonate you(r session) to the server that you're communicating with.

> What's that, they don't know what person on the bus I am?

I'll admit this last part of your comment made me question whether you even know what the Internet is. Are you under the impression that it's impossible for a browsing session to contain a collection of data that is useful without knowing what a person looks like or which seat on a bus they're sitting in? Are you under the impression that all successful hacks involve sending surveillance drones to visually identify the target?

[1] Not just the network infra and websites you're using, but every injected script and and ad on each of them