Depending on how the certificate is created, there can be other tags on the cert that will make it fail if its expired like the EV (extended validation) portion. Thats the part that gives you the big green tick on Banking sites. Generic based SSL/TLS certificates will still encrypt after expiration but their validity is no longer assured by the CA chain. There are good and reliable free SSL/TLS certificate sources like LetsEncrypt that will give you all the bits you need up to the EV part but they don't support that in the free tiers, you need to pay to get that as it needs to verify you are the owner of the domain being validated. The public keys are the only parts that are transfered between the client and the server, initial connection with the server will ask for a public key and there will be some back and forth negotiating for both sides to use a public key with the servers private key remaining as the source of truth for both public certs. These temporary public keys are protected by a part of the TLS system called Perfect Forwarded Secrecy, it essentially rolls the keys once a session has been created so that anyone who has sniffed the traffic is unable to use the known keys to replay the conversation and decrypt it, even if you have the private keys. If a self-signed certificate is used, it usually just means the admin hasn't set up proper certs yet or doesn't care about the actual security and its just a tickbox to get a service running. There are other parts of the SSL/TLS infrastructure that can be abused like downgrading the cyphers to weaken the encrypted streams and/or disable PFS so that people can actively sniff and replay things with the private key in real time.

The parts as a user you need to be concerned about isn't just a cert being expired, its the CA revoking the cert and it still being in use.