Or has all this changed or I misunderstood?
It hasn't changed, and you have misunderstood. I think.
At home, my router is given a fixed IPv6 prefix, 2a01:stuff::/56, by my ISP. That doesn't change, even though the public IPv4 of its WAN interface changes every time anything reboots or disconnect/reconnects the router. (The key point, I think, is that that prefix belongs to the LAN interfaces of the router, not the WAN interface.)
The router then distributes this prefix to the machines in my local network that need it(1). Being a 2a01 prefix, it's globally valid, not ULA, and there is no IPv6 NAT needed.(2)
And yes, there's a firewall in there. A UTM, more specifically, which does a substantial amount of intrusion prevention and stateful inspection (and is even configured to tolerate this and that and the other alarm-raising behaviour ONLY from that small list of external addresses. (Some wacky behaviour on the part of the Steam store CDN, mostly.)
(1) The Windows 2000 VM that I boot up occasionally does not have IPv6 configured, so it doesn't have any need of this stuff.
(2) That's almost true, but the IPv6 NAT that's needed is done by the UTM/IPS firewall to redirect DNS requests that are supposedly going to the WAN routerbox to instead go to an RPi that's running an Active Directory DC on Samba 4+ and Samba's internal DNS support. Windows 10 seems to behave very oddly if you configure automatic addressing and a forced DNS server address. Internet access *works* just fine, but the "you have Internet connectivity" detector thinks you're not connected.