Cryptography without authentication still provides protection against (non-MITM) eavesdroppers, which is very important with public wifi networks nowadays.
Which is why it's strange that self-signed connections are represented to the user as dangerous, while unencrypted connections do not have such a warning even though the former is strictly better.
Public WiFi is the anti example since if you can read to the WiFi, you can write to it and MITM connections. Passive is probably best, right now, against large scale fiber taps. And only as a stopgap.
Which is why it's strange that self-signed connections are represented to the user as dangerous, while unencrypted connections do not have such a warning even though the former is strictly better.