Prior to CGNAT, ISPs did not generally restrict peer communications in NATed IPv4 networks. The subscriber's router had a public IPv4 address and could accept or forward incoming connections at will. In most cases this could be automated (by default) with UPnP, which is effectively the same as not having a firewall for incoming connections. (If the port is closed anyway then blocking the traffic at the router has no effect, and any application that can open a port can use UPnP to allow incoming connections through the firewall.) The only real restriction compared to IPv6 was that you couldn't run multiple services on the same well-known port, which offers no security advantage to offset the inconvenience.

CGNAT breaks all this, of course, since the public IP address is on the ISP's side and they're unlikely to implement port forwarding on demand. For that matter, there probably aren't enough ports available to support all the subscribers sharing a given public address, and there could be security/trust issues as well with incoming connections to the same IP being dynamically routed to different subscribers according to the port number. (All the problems associated with dynamic IP address reuse, but with much quicker turnover.)

With IPv6 you can either let the destination deal with incoming connections directly—which has about the same security as a NATed IPv4 network with UPnP—or manually configure the firewall to only allow specific connections through according to the destination IPv6 address and/or port. Either way you won't have any issues with multiple hosts wanting to accept traffic on the same port numbers. There is no technical reason why there couldn't be a protocol like UPnP(v6) just for opening ports in the router on demand, but in a NAT-free network it wouldn't really serve any purpose.

>which is effectively the same as not having a firewall for incoming connections

Not the same. Intranet-only services are still protected.

Between malicious or infected hosts inside the network (your own or guests') and the widespread prevalence of hacked routers you really shouldn't trust incoming traffic on the mere basis that it appears to originate from the local network. It's better to treat the intranet as nothing more than a more performant subset within the broader Internet, and all network services as Internet-facing services. Trust no one without authentication.

Assuming you're stuck with some insecure legacy protocol which relies on such rules, however, it's still quite simple to restrict incoming connections to a specific subnet on the host itself, either with local firewall rules or a few lines of code in the application. In a network with UPnP the host is the authority on which connections should be allowed, whether we're talking about Internet services or intranet-only ones, and the host can block incoming connections at least as well as the router. In the absence of NAT there is no need for the router to get involved.