NAT, including CG-NAT really provides no security benefits. Too many comments, blogs, etc, have been written on this topic for me to reiterate the specifics here.
NAT, including CG-NAT, provides near zero privacy benefits. Nobody is tracking by IP address - there are far, far, far, more accurate ways, again, I won't reiterate all the ways this happens, Google it (or is the TLS session resumption one still on the front page as one example?)
NAT, and CG-NAT provide real drawbacks. Drawbacks most people won't understand, and that's OKAY. Not everyone
needs to understand them, but when you don't understand something, please don't advocate for it with specifics like "happy with CG-NAT because of the security and privacy benefits", instead, just leave it as, "happy with CG-NAT, I don't see any drawbacks".
I agree with the statement that NAT provides no privacy benefits, but there are security benefits to NAT. As Robert Graham says, "NAT is a firewall. It's the most common firewall. It's the best firewall."
If all you rely on is NAT, and you turn the firewall on your router off, it is possible for outside attackers to send unexpected packets to through the NAT device and right to your endpoints.
The targets are limited to the entries contained within the NAT translation tables, but that's still a pretty leaky "firewall".
NAT is just not a firewall, all it does is translate addresses, or in the case of PAT, Ports+Addresses. It does not filter the packets it receives, it just translates them.
I have seen some that don't. Back in early days of residential ISPs to offer IPv6. But, that's a thing of the past - and the same mistakes happened on the early IPv4 routers when dialup was disappearing, and DSL/Cable was kicking off.
Having IPv6 will be exactly as secure as IPv4+NAT by default on any CPE. And, just as with NAT+v4, it's possible to open your machines to the world if you have no idea what you're doing.
(This is actually pretty common for gamers who set the "DMZ host" router feature to aim at their desktop and flick off the firewall!)
Newer devices might support the Port Control Protocol, so applications can ask for the port to be forwarded on ipv4 and allowed in the firewall for ipv6
Which does not solve the common case when you want to pass unfiltered ingress trafic to few specific hosts and have the default reject unknown ingress behavior for all other LAN hosts. Just give me the ability to set my own firewall rules when I need to instead of drop-all/drop-ingress/accept-all combo-box with confusing label.
NAT, including CG-NAT, provides near zero privacy benefits. Nobody is tracking by IP address - there are far, far, far, more accurate ways, again, I won't reiterate all the ways this happens, Google it (or is the TLS session resumption one still on the front page as one example?)
NAT, and CG-NAT provide real drawbacks. Drawbacks most people won't understand, and that's OKAY. Not everyone needs to understand them, but when you don't understand something, please don't advocate for it with specifics like "happy with CG-NAT because of the security and privacy benefits", instead, just leave it as, "happy with CG-NAT, I don't see any drawbacks".