Nearlyfreespeech is more of a host than a registrar, but I feel they generally have really good practices and procedures areound security. I certainly trust them more than Godaddy. That said, they don't support a lot of .wacky suffixes other registrars might.
Namecheap is bigger, so it's possible to get support people that aren't amazing. Porkbun is pretty small and I feel like there's less room for underperforming support staff when you have less than 10 of them.
Porkbun has an extra "domain password protection" option where you can require and extra password retrieving an auth code for domain transfer. I'm not sure how much use that is though. Once someone is into the account to the point they can change NS, the real world impact is similar to having the domain transferred away (and recovered).
Instead of compromizing cryptocurrency services, they support paying for their services in cryptocurrency. That's arguably a better strategy for engaging with the target audience of crypto enthusiasts ;)
I'm not very confident about Namecheap, given how long it took them to add 2FA. It seems to me that if they cared about security they wouldn't have waited literally years to do it.
It's been around since 1998 and is a founder-owned company, and the founder wrote the book on managing mission-critical domains:
https://www.amazon.com/Managing-Mission-Critical-Demystifyin...
And they do offer registry lock (on a limited number of TLD's.)