Network Firewall, stateful rules engine allows traffic to pass by default, while the security groups default is to deny traffic

Your understanding is correct but order is wrong. First Traffic will hit Security Group. Once permitted in Security group. It will take action as per Network Firewall rules.

Yes, you're correct. Traffic first passes through the AWS Network Firewall, which by default allows traffic unless explicitly denied by its stateful rules. Then, it encounters the AWS Security Groups, which by default deny all inbound traffic unless explicitly allowed. For traffic to successfully reach its destination, it must be permitted by both the Network Firewall and the Security Group rules. This layered security ensures that traffic is vetted both at the network level by the Network Firewall and at the instance level by the Security Groups before being allowed through.

If this has answered your question or was helpful, accepting the answer would be greatly appreciated. Thank you!

Network firewall, Security groups, NACLs operate at different layers and take decision independently to each other. For defense in depth you can make use of all these to safeguard your environment. The below blog has diagrams that shows how traffic flows via AWS Network Firewall.

https://aws.amazon.com/blogs/security/tls-inspection-configuration-for-encrypted-traffic-and-aws-network-firewall/