I’ve played with a similar thought here Secure auth with dumb chips, secret outside of NDEF (xSIID?)
Conclusion was “wait for apex”.
I mean, if your password is sufficiently long and complex (whatever sufficiently means), then yeah, it’s “secure”.
For storage like this I’d still prefer an Apex tho, where we could have an applet that e.g. destroys the data after 10 failed attempts to enter a password. But at that point, why not just use the Apex to do all the PGP magic?
I guess this is the limiting factor here? I mean nothing will ever happen and it seems like it can’t be avoided in this scenario, but I do not like the idea of “storing PGP key on NDEF”.