It’s unencrypted, of course, but only within your network.
If the attack is connected to your LAN (by Wi-Fi or LAN) he/she can read all HTTP traffic because it’s plain text. If the attacker is not connected to your LAN he/she can’t read it because… well… the traffic is only inside your network.
So within your network having a self-signed cert is completely fine because you can use HTTPS and yeah.
But attacker can intercept WiFi packets, and use them as he/she wants because it is unencrypted?
Like just record my WiFi packets?
No. Wi-Fi is encrypted as well as long as you use WPA2/3
Better to use 3.
WPA2 possibly vulnerable to this getting a Handshake and then cracking it offline.
To do that, you must be "listening" with airodump-ng while a legitimate client connect to the network. It doesn't matter if the SSID is hidden. You'll get the handshake anyway and you'll crack it offline based on BSSID. To obtain it, the common method is using DoS deauthenticating client but your question said "without send deauth frames". So if you want the Handshake without DoS you only can wait, wait and wait... until a client connect to get it. You sais there is no clients connected to the network. Maybe you can only set the "listening" and wait for days... Once you have the Handshake captured file you can crack it without fear of being detected or whatever, is an offline proccess. You can use aircrack or hashcat tools (or maybe other).
Unfortunately a attacker can also choose to use a evil twin, or dragonblood which is also wpa3, or kr00k.
My opinion is to never trust wifi in general for devices who need security, yes you can frustrate a hacker by leveraging long passwords preferely from a password manager and enable krack megitation which decrease the amount of eapol key 4 handshakes, enable 802.11w to enable managed frame protection against deauths.
Yet wireless stays insecure, im more from a opinion to use these devices airgapped with isolation if that option is not there use a local vpn client on the device directly.
You can also choose to use a mac whitelist sure it defeats its purpose because a attacker can spoof it, but from my opinion how less interesting you can make a AP, the less interest they have to enter it, this comes hands to hands if you also wish to hijack dns and block alot of socialmedia, their AV also complains about invalid certs due to nextdns blockage😋
Now wether the chance is big or not this happens?, i think its relative low, but if you use certain equipment with a more risk and you have a ethernet port on it, use it 
Often what i choose is to mac whitelist it, then they have to deauth them, i will be instantly alerted because i see that my device has no internet 