The problem I have had with this setup is allowing inbound traffic to things that need it becomes tricky. Some devices don't support DHCPv6 like Android) and some firewalls don't let you do suffix matching. With a dynamic block via PD, the rules to allow inbound traffic to say an Xbox become quite complicated.
You can still have a firewall on the router level, just as you do with IPv4. You shouldn’t allow any external traffic by default anyway and NAT shouldn’t be a security measure.
I know, I'm saying that when you want to embrace global routable addresses for outbound AND inbound, it's hard with Prefix Delegation and spotty DHCPv6 support.
ISPs should be forced to let customers get IPv6 prefix reservations. Yes, PD doesn't change for most, but I'd rather not use PD at all.
