Hole punching is a thing. Ports are not normally completely blocked. They allow replies, which can be exploited to do make a connection. Obviously this requires an out of band signaling mechanism. Tailscale does this, so does WebRTC, iirc.

See: https://tailscale.com/blog/how-nat-traversal-works

Yes, but I don't believe all firewalls support that, especially for TCP, and as you've mentioned, now you also need to maintain a handshaking mechanism.

The complexity makes sense if you need to transport a lot of data peer-to-peer or the lowest possible latency, but if you don't, you might as well use that coordination server (which outbound-only clients are connecting to) for payload communication as well.