If you’re the kind of person liable to get personally targeted for nation state level attacks, then you definitely are going to want to unplug your yubikey and keep it on your person. For the rest of us, a hardware 2FA token is enough to protect against a sim swap attack, which is probably enough.
Groups also potentially at risk:
* Targets for industrial espionage (you might not be interesting but your employer is)
* Those believed to hold larger amounts of cryptocurrency
What does make it incredibly dangerous is that it also applies for eg “sudo”: if you don’t have any additional protection, it effectively means that any exploit in any app can be immediately extended to a local privilege escalation, as there is no additional protection in place.
In other words, be careful what you wish for. :)
Maybe yes, maybe no. Do you have a backup YubiKey? If so, then you need to keep it in a separate location (i.e. don't defend against losing your keys by putting both your primary and your backup on the same physical keychain). Are you putting it in a safe? What safe can you buy that is sufficient protection against nation-state level attacks? How often do you check your safe to make sure that your backup hasn't been stolen? What process do you have in place to revoke and replace your backup YubiKey in case you do discover that the backup has been stolen (do you have a list of every website at which you ever enrolled the backup, and how do you safeguard the list)?
IMO unless you are very seriously paranoid, you buy a "nano" in-slot YubiKey if your usage pattern targets a single machine, and a keychain YubiKey (with NFC) if you need portability between, say, your work laptop, your home desktop, and your phone. It's not a question of security but of your usage pattern.