Use Operating Channel Validation
At this time NetworkManager does not use Operating Channel Validation (OCV). This is a relatively recent WiFi security feature that prevents MITM multi-channel attacks. It's described in detail in the following paper: https://papers.mathyvanhoef.com/wisec2018.pdf
Both wpa_supplicant and hostapd support this feature, and it can be enabled by setting ocv=1 in the wireless network configs. It doesn't require driver support if hostapd SME is used, and if driver SME is used setting ocv=1 will only enable OCV when the driver indicates support for it. I believe NetworkManager should enable this feature by default.