Mobile phones have VPN clients now built into the system. It was much easier to get Android (old one, 2.x but it was possible even in 1.6) to connect to L2TP/IPSec VPN than Ubuntu.
It's unreasonable to assume that majority of users surf through a VPN because no one bothers, not because of any technical difficulties. But it's also unreasonable that majority of users will surf with js disabled by default.
In general, there's very little a developer can do against a hostile network if their users are clueless. Even SSL is only useful as long as the network operator doesn't deSSLify the connection on the fly or the user catches that.
Intercept HTTP requests that the target site tries to redirect to HTTPS. Then proxy the HTTPS connection. If the user doesn't notice that the lock icon is missing from the URL bar, then they're being effectively MITM'd (and anyone on the WiFi can see all their traffic).
1. Alice enters "paypal.com" into her browser.
2. Alice's browser issues a request to http://paypal.com/
3. Mallory intercepts this request, and replays it.
4. http://paypal.com redirects to https://www.paypal.com/
5. Mallory's proxy fetches the Paypal content and returns it to Alice
6. Alice sees "http://www.paypal.com/... in her URL bar without the green lock, but doesn't notice.
7. Alice enters her password.
8. Mallory steals all her money.
A response to this attack is the "HTTP Strict Transport Security" extension implemented by modern browsers, which, for sites that enable it, prevents the browser from ever even attempting a non-encrypted connection to the site, and also prohibits bypassing the SSL certificate warning page if an unknown/invalid certificate is presented by a MITM attacker.