Yes, NAT != firewall, but most consumer machines with static/world routable/reachable IPs have been particularly prone to attack over the years. Public access points (hotel, airport, etc) offer a similar level of risk -- yes Firewalls are important, but I'd pretty much make sure most machines/devices under my control in my home network (v6 or v4) not be world reachable. I'm just oldskool paranoid that way.
The only way you can make a device "not be world reachable" is to not connect it to the internet. It's silly to think that a vulnerable application invoking listen() is more dangerous than a vulnerable application invoking connect(). As soon as you connect to some cloud server you're exposed to any malformed data anyone can ask it to relay to you.
