Yeah, most people assume that pods are not exposed to the Internet so you'd probably want to block that. But using GUA addresses for pods is a good idea because it eliminates NAT and overlapping IPs.
Doesn't mean you have to expose it. V6 direct to ClusterIP/LoadBalancerIP/ExternalIP makes more sense and CNIs like Calico have this functionality as a first-class citizen.
Why would you not firewall those off? You could use different subnets for internal traffic and exposed deployments just like you can on IPv4. It's all just a naming scheme more than anything, though it's one which you can make work across firewalls if you disable enough firewall rules on both sides.
Functionally, there's little difference between a private /8 or a DHCPv6 /64 except that you can serve even more hosts.