What each warning actually means
The wording is precise and it is worth knowing what it is telling you, because people read all of these as hacked and most of them are not.
Not Secure
No encryption on this connection, or no valid certificate. Anything typed into a form on that page travels readable across the network. Nobody has necessarily attacked you. You just do not have a certificate installed, or the one you have is not doing its job.
Your connection is not private, or NET::ERR_CERT_...
A certificate exists but the browser will not accept it. Almost always one of three things: it expired and the renewal did not run, it was issued for a different name (the classic being www.yourdomain.com when the visitor came to yourdomain.com), or it is self signed. Read the detail text in the warning; it names which of these it is.
Mixed content, or a padlock that will not appear
The page loads securely but pulls in at least one file over plain HTTP. Browsers either block it or drop the padlock. A single old image URL hardcoded years ago is enough. The browser console lists exactly what it is.
This site may be hacked, or Deceptive site ahead
This one is serious. Google is telling searchers or visitors that something is wrong, and it costs you traffic immediately. Search Console reports the detail under Security Issues, including what was found and where. Do not guess at this one; read the report.
Spam links or content you did not write
Injected content, often hidden from you and shown only to search engines or to visitors arriving from search. A telltale is searching site:yourdomain.com and finding pages about products you have never sold. This is a compromise, not a glitch.
Unexplained redirects
Visitors, often only mobile visitors, land somewhere else entirely. Frequently invisible when you test it yourself, because the injected code deliberately skips anyone who looks like the site owner.