NFC tags can cloned trivially and permanently. Wearing an NFC ring that can unlock your phone broadcasts a working phone PIN, without your awareness or consent, to any transmitter or receiver that cares to ask. It is safe to assume that malls and government security agencies worldwide are tracking you in part through your NFC tags.
Anything that uses a challenge-response protocol would be safe, but that’s not NFC tags at all. Google is removing a feature that can be used to break into your phone as easily as if you’d printed the PIN on a ring in Courier. Phew.
The NFC protocols implements by Yubico are dynamic, not static, derived from a secret key held in hardware on the device. Those dynamic methods are not vulnerable to the NFC Tag issues described above.
An attacker could use NFC to sniff the exchange between your phone and your Yubikey, so you're still vulnerable to eavesdropping. But the point of the challenge-response protocols is to make eavesdropping irrelevant.
The practical vulnerability would be if an attacker eavesdropped on a one-time password going over NFC, blocked your phone's outbound signals so that it can't send it, and then somehow used the one-time password for their own nefarious purposes.
You'll have to make your own judgement call on whether that's a level of compromise you can accept for your use case.
You can also have no lock screen password or a trivial pattern. Not everybody requires the same level of safety. I'm not expecting my phone to be safe against physical access at all (although it probably is).
A trivial pattern is safer than NFC, because it's more difficult to record surreptitiously. Getting a visual recording of your hand is more difficult than cloning your ring's NFC tag data.
No lock screen password is safer than NFC, because it's more difficult to unlock your phone. Getting a physical hand to unlock your phone is more difficult than transmitting an NFC unlock signal to it from a distance.
Anything that uses a challenge-response protocol would be safe, but that’s not NFC tags at all. Google is removing a feature that can be used to break into your phone as easily as if you’d printed the PIN on a ring in Courier. Phew.