AWS: NAT Gateway in public subnet. Why?

A NAT Gateway (as well as a NAT Instance, for what it's worth) must be in a public subnet because only devices on public subnets can actually use a public IP address.

That's what makes a public subnet a public subnet.

The pedantic definition of a public subnet is a subnet whose associated VPC route table has at least one route pointing to the Internet Gateway... but in practice, it's usually a subnet with its default route (in the VPC route table) pointing to the Internet Gateway.

By contrast, a private subnet is a subnet without such a route. Usually, the default route for a private subnet points to a NAT device, though it could point to a hardware VPN or Direct Connect connection.

If a NAT device isn't on a public subnet, it (by definition) has no routes by which the traffic it has translated can reach the Internet, because its outgoing traffic follows the route table for the subnet on which it is located... so the subnet the NAT Gateway is placed on -- again, by definition -- must be a public subnet.

There is no security implication of placing a NAT Gateway on a public subnet, since incoming connection attempts are never accepted under any circumstances. This is something you can't misconfigure.

If you're thinking in LAN terms, the natural assumption is that a NAT device needs to be "on" at least 2 subnets, the external (public addresses) subnet and the internal (private addresses) subnet -- but the VPC network is not the LAN it appears to be. It's a software-defined layer 3 network that emulates Ethernet very cleanly, but it isn't Ethernet.