Yup. That is pretty much the scenario. This is basically how the merchant POS terminals work - they read the random secret emitted by your phone NFC. They know (have confidence) that this number remains in a trusted context (mobile OS, wallet app, acquiring device) and pass this secret to the appropriate token vault provider (the bank or credit card company). They look up the token in the vault, and do whatever is necessary in the trusted context, and return, carry out whatever is needed for the transaction. In the case of NWC, the trusted context is the client app, holding the secret and sending it to the NWC agent, also operating in the trusted/privileged context on behalf of the user. Looking abstractly, NWC is exactly the same as payment tokenization. In NWC, instead on using a random secret, it is more powerful to use a random npub for the offline device, because then it gives it the additional power to communicate encrypted matter through a semi-trusted acquiring device that is providing the online communication channel.