Even if you have a system which is more secure than UID-only (i.e. not at all), e.g. using DESfire EV1/EV2 (and assuming they use it correctly) to have a non-trivially clonable access token, 99.9% still use what the industry calls "non-transparent readers" (simply because "transparent readers" were invented in like 2023), which is to say the actual card/NFC reader out in the insecure area has the DESfire master key in it and performs the challenge/response and only reports the decoded UID back to the access controller over some wires. Which is obviously completely insecure and open to all sorts of tampering. The physical access industry puts tamper contacts on the card readers for this reason.
The physical access industry is generally extremely tight-lipped about how their garbage actually works. Half the reason is that they know they're selling insecure garbage for a lot of money, the other half is that the industry genuinely believes not documenting stuff increases security. The third half is that having documented and open systems would mean their franchise/installer people would maybe not be able to take their fat cut in some cases.