WPAD is still a thing, proxies terminate https. HSTS works when your first visit isn't over the public wifi; plenty of very important sites don't use HSTS. Even if HSTS was perfect, you're assuming users won't install malicious extensions or download malware at the suggestion of the evilwifi.