Unencrypted WAP means all traffic over the wireless link can be read by anyone.
With an encrypted WAP, all traffic is encrypted on the radio link, but anyone with access to the WAP's WAN port can read the traffic even without the encryption key. With the WAP's key, for WiFi, you can read all the traffic on the radio link.
The secure way to use a shared wireless AP is by using end-to-end encryption; your traffic is encrypted before it is sent over the radio link and is not decrypted until it arrives at the destination. So, even with the WAP key or access to the WAP's WAN port, end-to-end encrypted traffic is safe.
A common way to gain end-to-end encryption is to use an encrypted VPN. The traffic using the VPN between your machine and the VPN endpoint is encrypted, and so safe.
One complication. A VPN can use a technique called split-tunneling, which means that traffic not destined for the network at the VPN's other side doesn't use the VPN. And traffic that doesn't use the VPN isn't encrypted by the VPN, so if you use split tunneling, traffic not addressed to the other end of the VPN is not protected by the VPN.