And it’s not only about user data, it would also expose the website to content spoofing in public wifi, which would for example allow the attacker to inject fishing content in the website. The SSL encrypts the data you’re sending but it also ensures that you’re communicating only with who you think you are. Without SSL you can’t be confident about any of that.