With attacks like this [1] even LAN connections to Captive portals are a big risk.

Worth researching a captive portal authenticator and/or absolute minimal browser to advise users to use for minimizing attack surface.

TAILS research on the topic. [3]

[1] https://assets.documentcloud.org/documents/3031639/07-Introduction-to-BADDECISION-Redacted.pdf

[2] https://github.com/subgraph/defector/issues/1

[3] https://tails.boum.org/blueprint/detect_captive_portals/