Well as the last component of this pocess, I tested the VNC's security over the public wifi. I think its secure. Without using an SSH tunnel, I couldn't connect to anything by issuing my home network's IP:0. However the settings on my XP box's VNC server have been set to allow loopback connections but do not specify allow only loopback connections.

I've just now changed the settings on the VNC server to allow only loopback connections . Sitting in front of the XP box, using my personal wlan, I can still get an ssh tunnel to my router's WAN IP, forwarded to 22 on the XP box, and there I can set up a VNC session to 127.0.0.1:1.

So, tomorow morning I swing back by the cafe and try the setup through the public wifi again. If I can get that going (through the ssh tunnel) after I have changed the setting to allow only feedback loops, then I'll feel pretty confident that everything is working right and the system is reasonably secure.