What is your threat model? If you’re worried about some rando capturing the airwaves and snooping on your traffic, then you’re secure as long as you’re connected to a WPA2 or WPA3 encrypted network, which pretty much every hotspot supports. If you’re worried about whether you can trust the hotspot itself, then no - trust is a social problem, not a tech problem.
No, each session is encrypted separately. Your connection to the wifi router is encrypted with a different session key than someone else’s connection to the same wifi network.
Can't this trivially be worked around by sending deauthentication packets to kick the victim off the network and then capturing the 4-way handshake when they try to reconnect, which you can decrypt without bruteforce because you already know the network's PSK?
There is a deauthentication attack which can really annoy people, and I think WPA2 can be broken pretty quickly, but I don’t know enough of the details to answer that question.
What's your threat model? The vast majority of websites and services use HTTPS or some other protocol over TLS so the data will be encrypted & authenticated regardless of the security of the network itself.