[PaulAJ]

The ONT's job is to translate from (typically) Ethernet to the optical fibre, and nothing else. In networking terms its "Level 1"; concerned only with moving bits from one end to the other. Most ISPs will provide an ONT which does that and nothing else, and then a regular router/firewall that plugs in to the ONT via Ethernet.

Your security barrier is the firewall in the router, plus whatever encryption you apply to comms outside it. As long as you get that right your ISP can't see what you are doing apart from the to/from addresses on your packets (which can't be hidden, obviously).

ISPs generally push their own managed router/firewall at you because that way when something isn't working you don't wind up with arguments about who's fault it is, and the ISP can troubleshoot your router. But in my experience they have no problem with you unplugging their device and plugging your own in instead.

I haven't seen an ISP which does the ONT and the router in a single box. Its theoretically possible, but would be a bad idea for several reasons. One is security, as you say. Another is that the fibre can't be extended with more wire, unlike a copper phone line. So the ONT tends to be a small wall-mounted box with an Ethernet jack in it. That way your Wifi access point isn't stuck low down next to your front door or something.

[windexh8er]

One point of correction...

> In networking terms it's "Level 1"

What, I think, you mean to say is "Layer 1" of the OSI model, which is still incorrect. An active device, even when "dumb" is a "Layer 2" (Data Link) device. Ultimately a "bridge" networking device. The device is doing local media conversion which can't be accomplished by physical media interconnects alone. Even if the data link protocol is the same on both sides bridging the media types often requires a conversion. But in the case of ONT it's not going to be Ethernet on the WAN / carrier side. Not sure of the setup here but the PON is usually a very "dumb" last mile as it's often some sort of DWDM driven headend that's splitting out wavelengths for downstream consumption by the PON via the OLT and then broken out to Ethernet on the CPE, which is an ONU in this case.

[chaz6]

It is not quite as simple. The ONT also maps services to ports. Take for instance an ONT with 4 ethernet ports and 1 FXO port. The FXO port can be mapped to a SIP service, and each ethernet port can be mapped to a different network service. They can even have multiple tagged VLANs. Multi-port ONT's are often used to deliver services to multiple businesses sharing a premesis, or those that want an equivalent to a leased line in combination with an internet service.

[rlf_dev]

In Portugal you have at least two ISP’s that do ONT and router in the same device (MEO and Vodafone).