You misread my post, what I meant was that your day-to-day account is vulnerable, since you run your applications with it. If that's the account belonging to wheel, once your user account is compromised the attacker is root as well. One should use a different account, hopefully harder to compromise since is used only for sudo.
That said, I like your use of yubikeys, even better than the phone that's the sort of stuff that should be triggered using a smartwatch.
Basically, this is a GNU vs BSD misunderstanding. On BSD, only wheel members can use su to become root after entering the root password. On GNU/linux anyone can su to root by entering the root password regardless of whether they belong to wheel or not.[0]
The confusion with respect to these guidelines is because some BSD-inspired GNU/linux distributions confugure their sudo to use a "wheel" group.
> once your user account is compromised the attacker is root as well
... but only if they also know the root password.
Anyway, the long and short of it is that on GNU/Linux, wheel is only relevant on distributions that use wheel in their default sudo config.
Right, I kept using "wheel" to mantain the terminology in the github page, but clearly this created confusion.
But my point was that, regardless of whether you use sudo or su, on GNU/Linux or on *BSD, if the account used to elevate priviledges is compromised, the next you elevate you priviledges you should expect the attacker to follow you.
This is what I meant by "the attacker is root as well": it's just a matter of waiting for the next time you use su or sudo.
That said, I like your use of yubikeys, even better than the phone that's the sort of stuff that should be triggered using a smartwatch.