This is getting harder and harder to do.
If you do want to make progress invest in a Raspberry Pi
and a WiFi USB thing. Perhaps two....
Run the Pi and the laptop network hardwired together.
Have the Pi connect to the WiFi of the coffee shop.
A Pi can run a decent firewall and Squid proxy with one of many Linux
distro packages. It is easy to reload the uSD card with a clean
OS install. It is easy to remove the uSD card and inspect the
system for anomalies.
The second one... Install it as a VPN access point at your home network
connection. The Pi in your home and the Pi in the coffee shop can contain
shared secrets for a secure link that is harder to man in the middle attack.
There are cooperating groups sharing curated lists of addresses and host
domains that the Pi at home can slurp up and maintain.
The mobile Pi WiFi USB thing can be replaced for ten bucks and
some can have their MAC address randomized to look like yet
I would love to see a product packaged like the Airport Express
that would manage a firewall and VPN.
It is also important to explore VM. A virtual machine
can operate as a sacrificial OS. Copy the image
start it, get work done, stop it and trash it.
This is astoundingly difficult to do correctly.