if i understand correctly http://git.netfilter.org/nftables/tree/doc/nft.txt
NETDEV ADDRESS FAMILY
~~~~~~~~~~~~~~~~~~~~
The Netdev address family handles packets from the device ingress and egress
path. This family allows you to filter packets of any ethertype such as ARP,
VLAN 802.1q, VLAN 802.1ad (Q-in-Q) as well as IPv4 and IPv6 packets.
.Netdev address family hooks
[options="header"]
|=================
|Hook | Description
|ingress |
All packets entering the system are processed by this hook. It is invoked after
the network taps (ie. *tcpdump*), right after *tc* ingress and before layer 3
protocol handlers, it can be used for early filtering and policing.
|egress |
All packets leaving the system are processed by this hook. It is invoked after
layer 3 protocol handlers and before *tc* egress. It can be used for late
filtering and policing.
then it looks you are right. as I understand netdev is the closest to hardware layer in nft, and it still kicks in after network taps and tc ingress according to above.