Some people would state "this box is not on the internet" while it actually is only behind nat. As soon as you have two such boxes being able to communicate, for instance "two laptops playing online together" you realize they ARE on the internet. With home-routers allowing UPNP and such things, its even more open than that.
So the general idea that things will be safe from being behind nat is more or less wrong, unless you have 100% control over all possible traffic generated from the inner host(s), at which point you could have had it without firewall more or less. Will your robo-hover never phone home, never look for tuesday patches, java updates, OTA firmwares or talk to some license server or whatever? Then nat is ok, but if any of this can happen in some situation, then it is "on the internet" even if it started out behind nat.
It moves a machine along the scale from unreachable closer to unprotected-and-exposed-to-everything even if it's not all the way there.
So the general idea that things will be safe from being behind nat is more or less wrong, unless you have 100% control over all possible traffic generated from the inner host(s), at which point you could have had it without firewall more or less. Will your robo-hover never phone home, never look for tuesday patches, java updates, OTA firmwares or talk to some license server or whatever? Then nat is ok, but if any of this can happen in some situation, then it is "on the internet" even if it started out behind nat.
It moves a machine along the scale from unreachable closer to unprotected-and-exposed-to-everything even if it's not all the way there.