It's true that almost everything comes with a firewall rule that blocks new connections from the WAN to the LAN, so in practice these connections will be blocked on most things by default. But they come with this rule precisely because NAT doesn't do the job.
It is the default and default is secure. Users don't have to reason about it, they can assume it works, how doesn't matter and they may lack training/willingness to figure out.
You can't say the same for IPv6 where default is allow (have things changed?, havent checked in a long time)
Of course you can say the same for v6. Blocking connections that go from WAN to LAN by default has the same effect on both protocol families. If you assume that having the appropriate firewall rule to do that is the default then inbound connections will also be blocked on v6 by default.
NAT contributes nothing to your security in this scenario, and instead makes it harder (not easier) to understand and reason about what your router is doing.
Ah, okay. In that case v4 doesn't have a firewall by default either.
That's precisely why routers come configured with a firewall that blocks inbound connections from the WAN -- because the protocol itself doesn't have a firewall by default, and neither does NAT.
I have yet to see a router that allows that forwarding unless explicitly configured. Still, i'm using mostly openwrt/opnsense/mikrotik
Default is to disallow/block forwarding packets from public wan to private range lan.
ISP can still inject packets on ports that NAT opens if it spoofs the source address/port, so you still have some validity to argument.