The trivial defense against this is time limited passwords for Wifi access. Deny all access until a valid password is entered, only permit that password and MAC address pair for n minutes.

Buy a coffee, get a new password, etc.

On a technical level it’s trivial, but you’re taking about having a shop replace their wifi router and/or update firmware, create some way for staff to see the current password and/or integrate with POS systems to print it on the receipt, update signage, etc. Hardly trivial for the average non-techie business owner.

So "trivial" that this is how it was done years ago, but then coffee shops gave up on it because it turned it not to be so trivial after all.

Their employees' time is more effectively spent making coffee than repeatedly providing low-level tech support for random password problems.