In AWS, why is an EC2 behind NAT gateway in private zone said to be safer than one in public subnet?

If an instance has a Public / Elastic IP I can directly target it with an attack. Maybe you left some unneeded ports open in the Security Group that I can exploit.

If it doesn’t have a Public / Elastic IP it’s close to invisible to the Internet and I can’t directly target it from outside.

Think of a house - if it’s got door directly on the street your house security depends on the door lock. However if it’s in a section behind a solid wall it’s much harder to even get to the door and try to break the lock. Even if you by mistake leave the door unlocked you should still be pretty secure.

So yes, if everything works as expected then the security of public and private subnets should be similar. But mistakes happen and having your resources in Private subnet gives you an extra layer of protection in such times.

Hope that helps :)