My mistake had actually been (carelessly and stupidly) leaving the hotspot out in the open and visible in the presence of a visitor (a tradesman) whom I became uneasy about later for whatever reasons. But the main thing was realising I had been distracted during his time in the house and he could have had access to my hotspot while my back was turned. I admit there's a lot of far-fetched "ifs" and "could haves" in this scenario, but there it is.
As to time needed to WPS-connect to the hotspot, if you're someone who is familiar with it (and they have been around since November last year and are popular here) it's four taps on the device's face to press the "pair devices" button and return to home screen. About 3 seconds and simply walk away from the hotspot. You then have 2 minutes to hit the WPS button on your own device that you want to pair. And that's something you could even do openly - everyone fiddles with their mobile nowadays and few would ask what you were doing.
It would take a pretty brazen person to do all this but we get a lot of those nowadays. Especially us older folk. Anyone wanting to join you on your wifi isn't after a bit of free service - they're after identity and financial details. I don't know about the US - I hope it's different - but in Australia you tend to get at least one scamming phone call a day (true!), scam door-knockers about once a month, and phishing emails a bit less frequently if you're lucky. There's a lot of predation on the vulnerable and elderly. And the attitudes and responses of our authorities and private sector to this really don't do our country much credit.
The remedy, as you rightly point out, is to physically ensure no one but those you want to can get their hands on the hotspot. I will certainly now be more careful in future, but there's always that day you forget. Having that WPS facility on the AC790S with no option to turn it off is (IMHO) appalling madness.
Restricting the number of devices and whitelisting the ones allowed is a good suggestion and I'll be following it up.
I'm happy if this thread keeps running for a bit and any new thoughts about AC790S security will be followed with definite interest.
Edited by Itchy01, 12 November 2015 - 07:08 PM.