No, it's a single network segment, not an end user. There unfortunately is quite a number of providers who seem to think that it should be, but that's braindead, exactly because it allows for only one network segment (if you want to use autoconfiguration), while the address space is intentionally so large as to not restrict people to specific network architectures and also to avoid any administrative overhead for allocation of additional addresses - the original assumption was that every "end site" (that is, a customer of an ISP) gets a /48 by default, unless they show that they do indeed need more (which would be a very rare exception).
You will block many more possible addresses, but you'll still only block one subscriber's network(s) which is exactly equivalent to blocking a v4 NATed address - you block all of their LAN, regardless of which individual device is compromised and which one isn't.
Sure it is, but it's still just a single firewall rule. There isn't really any difference for the firewall whether you block a specific address or some network prefix.
