I now receive a block of IPv6 from Comcast. I allow the router to assign them to devices on the network, but I admit that I am somewhat worried that my local PC is no longer isolated from the Internet by a private IP.
You want to set up an 'egress only' v6 gateway for your /64s (or however you carve up your netblock). That is going to be the closest analogue to behind-a-NAT-like behavior.
My mum's boring broadband connection, with a free router supplied by the ISP in the UK, has the functionality next to the port forwarding settings for IPv4.
That's typical. Look up IPv6 pinhole to see how ISPs document it.
OK, so I suspect that it varies greatly among markets.
But I wonder, is it a fair assumption that the router that you get will either 1) not route IPv6 at all, or 2) route IPv6, and by default deny incoming traffic? Problematic would be ones that routed IPv6, and by default accepted incoming traffic.
Most people don't buy routers, they are given them by their ISPs. My parents switched ISP at the start of the year and were given a 5 year old modem/router.
In many countries the ISP supplies the router. I've had IPv6 capable routers for years and years in Britain, but it's only in the last 2 years or so that the IPv6 address has been assigned by the ISP.
what's more secure than a device you cannot possibly reach?
I'll take an insecure device isolated at the bottom of the ocean in a titanium block over a probably-secure device that is publicly addressable any day.
Be sure that you are really isolated if relying on it for protection. Its only as secure as the least secure node inside the bubble, and there can be quite a dangerous in large networks like in a company or campus. It would not surprise me if a number of WannaCry victims was behind nat and got infected by a machine on the same local network.
I was at a company that made a mistake like this during their IPv6 rollout. The firewalls are different an individual, and initially they only had iptables rules on their BGR and an empty ip6tables set.