The browser cachable bit is critical here. By having visited the page before, even though the network won’t allow traffic yet, the cached page performs a redirect to an unsecured page that the local captive portal CAN intercept.
What Joshua said, plus some hotspots also whitelist some IPs, allow some HTTPS temporarily. The world of hotspots is a real mixed bag on how they do things.