What is the expected behavior of the “NR only” option in the *#*#4636#*#* menu?

I have a fully-patched Pixel Fold with the latest version of Android. If I boot into airplane mode with no SIM cards installed while the “NR only” option is enabled, as soon as I disable airplane mode, the phone immediately connects to a GSM (2G) network, opening my phone up to 2G attacks despite having no SIM card. My expectation is that these connections would be blocked. I also see that the phone occasionally makes UMTS and WCDMA (both 3G) connections in this mode as well, even though 3G is supposedly defunct in the United States. My expectation is that these connections would also be blocked. If I then enable a network (i.e., Cricket or Visible) that seems to only support 5G in the form of 5G Non-Standalone (NSA) (4G+) (again, with “NR only” enabled), the phone proceeds to connect me to LTE, sometimes simultaneously with an NR network (with null MCC/MNC values and a TAC value of 0). My expectation would be for the phone to report no service. So not only is “NR only” not NR only (it allows 2G, 3G, and 4G), but if I enable airplane mode, both \*#\*#4636#\*#\* and the CellMapper app continue to report that my phone is always connected to various cells over 2G, 3G, 4G, and 5G, the latter two with a SIM cards installed and the former two without SIM cards installed. Is “NR only” just “prefer 5G, otherwise connect to anything”? Does “NR only” include 5G NSA, which necessitates allowing LTE (making the option identical to “NR/LTE”)? Shouldn’t airplane mode entirely disable the mobile radio? It seems if “NR only” is not literally “NR only”, then there’s no defense against the attacks described at https://www.mdpi.com/2624-800X/4/1/2 (which leverage 2G, 4G, and 4G+ (AKA 5G NSA)).