> I've only read that on HN, I've never heard this anywhere else.

Well-regarded networking architect, author, and instructor:

* https://blog.ipspace.net/2011/12/is-nat-security-feature/

> NAT works and passes the grandma test.

So does my Asus with a default deny IPv6 rule on incoming connections.

You're more likely to click on a link that installs malware that attacks your network from the inside, and that attack works regardless of IPv4 or IPv6.

Treating a firewall as some impenetrable moat has not been network security practice for a decade(+), and waving around RFC 1918 address space like systems with a 10.8 or 192.168/16 can't get infected is lazy thinking. It leads to complacency: I'm behind NAT, I'm safe.