Wow and if you dig a hole in your driveway that should stop thieves getting to your house, or least by your description.
NAT provides no security whatsoever, the printer mentioned above only needs to initiate a single outgoing packet to the router that will then open a port public side and any (that is ANY!) internet traffic that hits that port public side will be sent to the printer. About time people stopped confusing the basic "established" firewalls rules used in home router devices for NAT providing security!
As for how can someone route to your 192.168.1.0/24 IP space at home behind your NAT device. Quite easily remember the box is just a router passing traffic from any connected subnet to another. This assumption just says I expect my ISP to not forward traffic using private addressing on the source or destination and most don't do this. There are varying methods to get traffic destined to your private range at home to pass over the net.
NAT simply states if traffic passing the router meets this rule then change the source/destination IP and/or port to something else, if it does not meet this rule then pass it unmodified. <- here see no security at all!
Your firewall is what says if this traffic is from the WAN and is not for an established connection in the connection tracking table then drop it usually via the implicit deny any any rule at the bottom.
Sure plenty of you will go on thinking NAT provides security until your IPv6 printer starts spitting out pages of unwanted messages - of course it won't as your ISP will have enabled the firewall by default.
This doesn't even account for the open wireless access point installed on most home printers these days (a quick scan of my neighborhood shows plenty)