Yes, and every router has to do it properly by default, which so far they haven't really been. NAT is a lot harder to do wrong, cause the local IPs aren't even addressible.
Its not harder to do wrong, its just less noticeable when done wrong, it's been a security consideration since NAT was created, and a persistent issue since then:
It's defense in depth. I don't understand if and how this exploit allows an attacker to hit port 80 on my PC for instance, but either way it looks like a pretty sophisticated attack only discovered in 2021, and I still don't see panic over it.
If they haven't really been, then NAT wouldn't be working either, that's the point I'm making. NAT requires connection tracking to function, because NAT is actually an extra step on top of a basic stateful firewall, and the mapping part isn't the part that provides security, it is the connection tracking part.
Then disable it. IPv6 SLAAC privacy extensions are device-controlled, meaning neither your ISP nor your router can force you to use/not use them (unless they're so incompetent that they do things like hand out /128s).
I disable privacy extensions on my server so that I can give it a static IP within the prefix, so I can vouch that (at least on Linux) the process is quite simple.
Well, what I do is disable ipv6. I don't want the possibility that this is misconfigured, especially if the defaults tend to be wrong. Maybe my router doesn't even respect my firewall settings, like this: https://community.verizon.com/t5/Fios-Internet-and-High-Spee... Maybe the customer is wrong, but this shouldn't even be a question.
The rare times I want something publicly accessible, I use DMZ or port forwarding.
Not really. Many home routers used to assign all ports to the first device to connect to the router, and you'd need to setup NAT just for your second computer. Eventually the default settings wised up.
It is much more probable that security defaults will be much tighter today than they were when ADSL initially took off.
If you take away the mapping the tracking doesn't go away. Inbound traffic still needs to match to to a session created by outbound traffic.