Not every device can run its own firewall. IoT devices, NVR systems, etc should be cordoned off from the internet but typically cannot run their own firewall.
You must have not read my original post. I said that the NAT provides an additional fallback layer of safety in case you accidentally misconfigure your firewall. (This has happened to me once before while working late and I’ve also seen it in the field.)
