I can't seem to find a definitive answer on this, so hopefully someone can help me.
We use disconnected editing with Collector out in parks and forests. Since there is little to no coverage for going online to sync up the edits, we're forced to use public wi-fi spots in starbucks, mcdonalds, gas stations etc...
When the data is being synced over these networks; is it encrypted in anyway or sent as plain text (http)? We need to know so we can determine if a vpn is needed on our devices, or if it's ok to connect directly to any of these hot spots.
Although I am not an expert on security, what determines whether or not services are being sent as HTTP vs HTTP's is dependent upon the configuration of the server that is hosting the services being used in your web maps, and not necessarily just the network itself.
For example if you're working with ArcGIS Server, and have configured it to use HTTPs Only, then all of your services would have been added to the web map using HTTPs and will use the level of encryption that is currently configured on the server itself, such as TLS 1.2, 1.1, etc.
This is similar for Portal or ArcGIS Online, as they have their own way to configure security settings as well.
Public Wi-Fi networks are typically open to more security vulnerabilities, as more people have access to them and can use them maliciously. Therefore I wouldn't recommend using public Wi-Fi networks to share sensitive data, even if you're using HTTPs. If you have the option to use VPN, I would recommend to go that route, as you can control who accesses those services.
Here are some helpful links for security best practices for ArcGIS Enterprise and ArcGIS Online:
Are you working with ArcGIS Online, ArcGIS Enterprise, or ArcGIS Server?