NeatEmpty will look for empty resources and clean up their entire hierarchy if necessary. This was originally designed to handle the fact the Neaters may leave fields empty after they finish working, however it may not always work for the benefit of the user.
consider the following common CRD in Istio:

apiVersion: "authentication.istio.io/v1alpha1"
kind: "Policy"
metadata:
  name: "default"
  namespace: "foo"
spec:
  peers:
  - mtls: {}

NeatEmpty will end up deleting .spec altogether.

Similar thing might happen with emptyDir volumes:
See this configuration example from official docs (https://kubernetes.io/docs/concepts/storage/volumes/#emptydir-configuration-example):

apiVersion: v1
kind: Pod
metadata:
  name: test-pd
spec:
  containers:
  - image: k8s.gcr.io/test-webserver
    name: test-container
    volumeMounts:
    - mountPath: /cache
      name: cache-volume
  volumes:
  - name: cache-volume
    emptyDir: {}

I'm getting this issue with cert-manager where an issuer is configured to be self signed.
kneat Removes the spec altogether which deletes essential information

apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  annotations:
  creationTimestamp: "2023-05-02T14:14:49Z"
  generation: 1
  name: letsencrypt-staging
  namespace: test-top-kuard
  resourceVersion: "8869238"
spec:
  selfSigned: {}

It deletes the spec.selfSigned field altogether.