If you're not running a firewall, your router is just as vulnerable as any device behind it would be with IPv6 — that is potentially vulnerable on any port it might listen to. NAT is not a firewall, it's an ugly workaround to a scalability issue.
For most home IPv6 networks, blocking all incoming traffic from the egress port will achieve the same level of security as a NAT'd IPv4. Different router/fw manufacturers would need their own guides on how to do that, but IMO any sane consumer product should be configured like that by default.
I suppose you should never blindly trust the competence of an ISP-provided router, but I would expect it to automatically block all incoming IPv6 traffic unless you explicitly add forwarding rules.
You can always enable v6, then see if you can reach internal machines from a machine on the internet (like a VPS or over a cell connection)
This is probably going to be the case for most professional devices that have CLI configuration and expect the user to be familiar with networking.
They don't know what you're going to use it for and in real networks, the sensible home default of "allow outcoming deny incoming" doesn't usually make much sense. You're probably going to have dedicated firewall devices somewhere else in your network.
Any/all consumer routers do stateful packet inspection for IPv6: by default no traffic will get in unless it is a reply to a previous outgoing request.
If you have a Asus/Dlink/whatever there's nothing special to be done.
You can likely re-enable IPv6 and simply block all incoming IPv6 traffic except for icmp and it'll be quite alright. If you're using OpenWrt for example the default firewall has this exact configuration.
Are there any guides for how to properly secure a home network so that I can re-enable IPv6 with a clear conscience?