Generally speaking: most banking websites and apps have their own SSL security, so that's fairly well protected.
As far as other websites and data goes: if it's not SSL, then it's wide open on an public wifi hotspot. If you're using Facebook, Gmail, or other websites with data you want kept private, make sure you're on SSL (using
https://).
The same should be true of your e-mail. Go into Settings -> Mail, and click on your individual accounts. Get to the Advanced menu, and make sure this is set on all of your mail accounts:
This will help secure access to your mail.
All of this is pretty much good practice, VPN or no VPN, or even on an iPhone. People don't realize that technically, the 3G network is also one big, public hotspot, and while not (yet) common, it's totally within the realm of possibility that someday we could see snooping on the cellular network.
As far as VPNs go, that will do a good job of securing everything from praying eyes on the Wifi hotspot. The kicker is, you need to be able to trust the VPN provider, because while you're securing your data usage against eavesdropping at the WiFi level, you're also funneling ALL of your data through that VPN provider.
Personally, I would go with WiTopia. They have a good track record and have been around for years, and their basic VPN plan is $49.99 per year, offering Cisco IPsec which is both secure and supported natively by iOS devices.
