Here's what I've understood on how Windows Phones work: basically, nothing runs without the permission of the user. Hence, nothing gets extracted from the phone without the user's consent. Simply: a stranger can't get candy from a child if the child says no (user consent)... if the child throws that candy (or a copy of it) in open air to give to another child (unencrypted connection), then the stranger can simply catch it... but if the same child throws that candy through a thick metal pipe directly to the other child (encrypted connection), then the stranger knows that something is going on but he won't even have an idea what was thrown, when it was thrown, or if it was thrown at all. So, two things must happen for the stranger to get the candy: 1) the child must throw the candy (user consent) and 2) it must be thrown in open air (unsecure, unencrypted connection).
The sniffing off information in public WiFi doesn't happen "automatically". The risk can only exist during the process when the user is sending, i.e. with the user's knowledge and consent, the information to be stolen, e.g. while logging into an unsecure/phishing website or through an unencrypted connection (without the padlock sign in the URL box).
Hence, even if the phone was connected to a certain WiFi router/hotspot, the information in a Windows Phone can't simply be accessed remotely without the user's consent. The camera can't be remotely activated (unlike the recent Android bug), files can't be copied, personal information can't be stolen... all without the user's consent. To illustrate the difficulty, an app that is already installed on the phone can't even access these information without the user's consent (they can't modify, copy or even communicated with other installed apps on the same phone), so access from a remote location outside the phone should even be more difficult. Another illustration is if the user forgets his or her lock screen password, all his or her files in his or her phone can no longer be accessed. So if a Windows Phone gets stolen, the thief won't be able to do anything with it. In addition, the user can simply go to his or her Windowsphone.com account and remotely wipe the contents of that phone, or lock it if it goes missing for example.
In the user agreement, Microsoft (and the two other main competitors) have reserved the right to provide user information to governments when mandated by the government, e.g. when the user faces a criminal case and the government needs evidence or information from Microsoft. BUT, that doesn't give governments the ability to control our devices at their will. This creepy scenario hasn't been observed yet, although given the Sand Boxing technology in Windows Phones that controlling thing is highly unlikely. Not even Microsoft can do that.
Ip-based webcams are a different case. They are usually connected through an unsecure, unencrypted and unprotected connection, that's why they can be accessed remotely via the web... but simply adding a password to the network blocks that from happening again.
The text might be long. In short, Windows Phones are secure. I won't say they're the safest devices out there (probably they are), but I'd say the level of security implemented on Windows Phones is high enough to keep the majority, if not all, of its users at peace. I had a multiple-page document detailing the security specifications implemented on Windows Phones... it's basically like a fortress, fortified several times and there's only one way to get in.