Sure, a default deny is a good idea. However, it's not _critical_. If you forget to enforce it on your NAT router, you'll be fine. And if you are behind a CGNAT, it's even safer.

In IPv6 it becomes absolutely essential. If you forget to include it, your network becomes wide open. And you don't have an easy way to detect this because you need an external service to probe your network.

> NAT is not a firewall. It is address translation. It will not drop packets.

Yes, it is a firewall because it enables the address space isolation.