There is no difference between how L3/L2 VPN(ISAKMP,DH keys,IKE etc) operates in NSX comparing with configuring/operating it on a physical device. Ideally appropriate VPN Firewall rules will get auto plumbed or we could manually configure the same at ESG level and ensure that only required rules for ingress/egress is enabled while configuring VPN. I don't find a security concern here irrespective whether we are using a private/public IP . In fact NSX makes the whole network more secure (This is a broader topic ) So my advice is , compare your company security standards with NSX VPN ( For eg : DH key, SHA values etc ) if you have a use case ,and if NSX supports same parameters there shouldn't be a second thought. There are other points as well, like from a routing perspective , redundancy etc to confirm what is supported/unsupported as well and it has much do with second phase- designing the network end to end for the connectivity.

Configuring Public IP address on EDGE Uplink is for reachability  to remote Peer. There is no security concern with this design as in Physical Devices we generally block various type of attacks (Flood/DDOS).

Based on your company design you can install Physical Firewall or use NAT-T for VPN.