If this can happen, is it possible that once mandatory developer verification comes into effect, all 3rd party apps will be uninstalled at first and require a re-install?
Concerning this specific case, NFCGate is a tool on which malware (family) titled NGate by ESET is based, thus likely causing a false positive.
Oh, and no bypass is available anymore (aside from disabling play protect):
Play protect doesn’t actually scan for malware; it’s not an anti-virus. Google, supposedly, scans for malware on the app store regularly and takes action through play protect if they find it there.
So, in other words, unless you have a very specific reason; like you believe it is likely that one of the apps you use from the google play store could become compromised in the future, just disable plat protect.
It will at best annoy you with false positives and blocking non-play store apps for no other reason than google’s jealousy. At worst it won’t stop a harmful app from being on your device – it will just eventually catch and remove it after it has already been on your device doing whatever nefarious activity.