> Only allowing packets from the outside related to a connection initiated from the inside.

NAT a.k.a IP masquerading does not do that, it only figures out that some ingress packets whose DST is the gateway actually map to previous packets coming from a LAN endpoint that have been masqueraded before, performs the reverse masquerading, and routes the new packet there.

But plop in a route to the network behind and unmatched ingress packets definitely get routed to the internal side. To have that not happen you need to drop those unmatched ingress packets, and that's the firewall doing that.

Fun fact: some decade ago an ISP where I lived screwed that up. A neighbour and I figured out the network was something like that:

    192.168.1.x --- 192.168.1.1 --
                                  \
                                   10.0.0.x ----> WAN
                                  /
    192.168.2.x --- 192.168.2.1 --

192.168.1 and 192.168.2 would be two ISP subscribers and 10.0.0.x some internal local haul. 192.168.x.1 would perform NAT but not firewall.

You'd never see that 10.0.0.x usually as things towards WAN would get NAT'd (twice). But 10.0.0.x would know about both of the 192, so you just had to add respective routes to each other in the 192.168.x.1 and bam you'd be able to have packets fly through both ways, NAT be damned.

Network Address Translation is not a firewall and provides no magically imbued protection.