> I know that IPv6 can be made secure, but I don't have the background or research time to learn how to do so, and the NAT-by-default of IPv4 effectively means that I get the benefit of a default-deny security strategy that makes it impossible to accidentally directly connect anything to the internet.

To get the "unsolicted traffic is rejected or dropped" behavior of the typical IPv4 NAT, forward inbound traffic that's related to an established connection and drop or reject the rest.

You can also use the exact same NAT techniques you use for IPv4 addresses with IPv6 addresses. The only differences are that instead of you using RFC 1918 Private Internets addresses (10./8 and friends) you use RFC 4193 ULA addresses (fd00::/8), and you need the usual NAT rules on your edge router, except for IPv6, rather than IPv4. Remember that IPv6 is still IP, just with larger addresses.

It's recommended that you generate your ULA subnet rather than selecting one by hand, but absolutely nothing stops you from choosing fd::/64. If you're statically assigning addresses to your LAN hosts, then your router could be -say- fd::1 and you count up from there. Also note that DHCP exists for IPv6 [0] and is used by every non-toy OS out there except for Android.

> I'm hoping I can keep using IPv4 until IPv8 or IPv4.5 or whatever comes next...

IPvnext is not happening in either of our lifetimes. You're either going to have to buy edge gear that's set up with a "reject or drop unsolicited inbound forwarding traffic" firewall, or learn how to set it up yourself. Either path is not hard. Well, I guess there's secret option #3: "Die without doing either.". That's also not hard.

[0] It has been around for nearly twenty-three years.

Yeah, that's the kind of stuff that I know how it works from a network protocol standpoint, but have no clue how to configure on any given system, let alone verify I configured it correctly. I installed DD-WRT on my router, hoping it would be easier to set up. The user interface was much easier to navigate, but the labels of the settings were so sparse that I couldn't tell what anything was referring to, even knowing the terminology for the the lower layers of network protocols. I wouldn't be surprised if I never get around to working on it in my lifetime, as long as I can play around with electronics projects.

Regarding Android OS, I'm not convinced it isn't a toy OS. I feel like they threw in the Linux kernel, but didn't bother including most of the useful features, and pat themselves on the back whenever they add one back. It took almost a decade before they figured out that you could install fonts without reinstalling the operating system. If they ever discover DKMS, we can stop throwing our phones away every few years, and have some actually useful hardware. Then again, it took Apple two years to add copy and paste to a phone, so maybe it's an industry-wide problem. If I could buy a modern Jornada 700 series running Linux or BSD, I'd never need to pick up an Android or iOS device again.

I don't think you even need a stateful firewall. If it's an IoT device that's not meant to provide services to the internet then it seems to me you can just drop all non local subnet originated traffic and get most of the security you would expect with NAT.