I don't know about Apple Pay in particular, but I can say that all of your concerns are invalid with Google Wallet, because:
1) Credit card information is not actually stored on your phone, so it would be impossible to get it off of there.
2) Unless you hack your phone, Android disables its NFC transmitter when the screen is off or locked. Since your phone has to be within a few centimeters of the receiver for it to active, it would be impossible for anybody to try to request payment from your phone without you realizing it.
3) Even if that happens, you have to enter a PIN in order to authorize payment. The above situation couldn't happen even if your NFC transmitter was on all the time, unless you had a habit of entering your PIN any time your phone requested it. Somebody who stole your phone would have to first get through your lock screen (assuming you set an unlock code or use a fingerprint scanner) and then guess your PIN, which isn't 100% unbreakable, but would likely take more than long enough for you to realize your phone had been stolen and deactivate that account.