Not sure how many networks would actually rely on SSID or would have two WPA3 APs with different SSIDs one of which is vulnerable somehow. Sounds a bit exotic.

But authors show one good case with eduroam, where they make university devices from Campus A connect to spoofed APs relaying to less secure devices in Campus B. Client devices still think they are connected to Campus A and disengage VPN.

And there an attacker can theoretically MITM into plain text traffic. Because it's time to go TLS.