> I explicitly don't want any IP addresses in my green zone to be directly accessibly from my red zone.
This is exactly what the job of a firewall is.
NAT is a hack due to IP address exhaustion. Any security is a side effect. Nothing that says "NAT" on the tin is obligated to protect you.
NAT on your own network if you really drink that kool-aid is fine. I'm more concerned about CGNAT. If ISPs implement NAT (called CGNAT), it means you can't accept incoming connections without your ISP approving/supporting it. I don't want to have to beg my ISP to open ports for me and question/approve why I'm doing it.
This is exactly what the job of a firewall is.
NAT is a hack due to IP address exhaustion. Any security is a side effect. Nothing that says "NAT" on the tin is obligated to protect you.
NAT on your own network if you really drink that kool-aid is fine. I'm more concerned about CGNAT. If ISPs implement NAT (called CGNAT), it means you can't accept incoming connections without your ISP approving/supporting it. I don't want to have to beg my ISP to open ports for me and question/approve why I'm doing it.