But I'd feel a lot happier if a second level of authentication were 
required to establish a wireguard connection, if no packets had been 
flowing for more than a configurable amount of time - say, an hour. It 
would give some comfort around lost/stolen devices.

Couldn't you just encrypt your home directory? Or even the root FS entirely.
Either of those should be a must on a portable device storing valuable
information.

But by analogy, would you say that SSH keys and PGP keys don't need protection by a passphrase?