It's unreasonable to assume that majority of users surf through a VPN because no one bothers, not because of any technical difficulties. But it's also unreasonable that majority of users will surf with js disabled by default.
In general, there's very little a developer can do against a hostile network if their users are clueless. Even SSL is only useful as long as the network operator doesn't deSSLify the connection on the fly or the user catches that.
How is this possible?
1. Alice enters "paypal.com" into her browser.
2. Alice's browser issues a request to http://paypal.com/
3. Mallory intercepts this request, and replays it.
4. http://paypal.com redirects to https://www.paypal.com/
5. Mallory's proxy fetches the Paypal content and returns it to Alice
6. Alice sees "http://www.paypal.com/... in her URL bar without the green lock, but doesn't notice.
7. Alice enters her password.
8. Mallory steals all her money.
I also do check that the lock is on, or for a site like a bank or paypal, that the address bar is green.