In any case, your endpoints really do need to be reasonably secure in themselves - especially if the firewall isn’t yours as then you are probably sharing the network with other devices on the inside of the network that can attack you directly, and even if not, it just takes one device being compromised and somebody has full inside access to the network, with the firewall not being able to do much…

The same comment applies to ipv4. Port bindings accessible from outside by accident, misconfigured upnp, SIP-ALG with vulnerabilities, various other router issues. "What if my firewall is broken" is not a new ipv6 consideration.