Gregory's Server
Okay so the idea is
You have two WPA3 APs which share a password but have different SSIDs. You as the user know that one of them is not secure somehow. You might also have a VPN configured to disable automatically only on the secure SSID.
An attacker creates an AP near, with the secure SSID, and relays your connection to the insecure one. The client device will show secure SSID but connection security will be degraded, and VPN will disengage.
Not sure how many networks would actually rely on SSID or would have two WPA3 APs with different SSIDs one of which is vulnerable somehow. Sounds a bit exotic.
But authors show one good case with eduroam, where they make university devices from Campus A connect to spoofed APs relaying to less secure devices in Campus B. Client devices still think they are connected to Campus A and disengage VPN.
And there an attacker can theoretically MITM into plain text traffic. Because it's time to go TLS.