Comment by dissent
7 hours ago
NAT isn't protecting them. Not being on the public internet at all is protecting them.
NAT is then unprotecting them a little by letting them punch out again. It's super easy for routers to implement this behaviour by default if your LAN is publicly addressable, and removes a whole class of exploits caused by applications making NAT hacks.
This is splitting hairs. The point stands that PAT is the de facto firewall for most soho users.
Not in the context of claiming NAT offers protection.
An ipv6 lan with default ingress deny is more secure than ipv4+nat