Comment by cyberax

Yes, the upstream can hack my private wallet. But it's a CGNAT device somewhere in the TMobile network, and hacking it is not at all trivial.

And it's true for most NAT users. Even with the cheapest possible devices.

Of course, in practice most NAT devices _are_ firewalls because they do block incoming packets that are not a part of an established connection. After all, it adds only an insignificant overhead because a NAT device has to track connections anyway.

With IPv6 this is not the case. A router with misconfigured connection tracking will still work. And I actually have seen this in practice on a device that had a missing IPv6 conntrack kernel module.