Comment by jcgl

Those naughty incoming packets can hit your private devices even with NAT-without-state full-firewall. The details depend on how your NAT actually implements the translation, but it’s perfectly possible for $randomHighPort to send all its incoming traffic straight to some device. Said another way, a NAT is not guaranteed to do something like match entries based on the layer 4 4-tuple.