I think enough consumer routers run upnp servers out of the box that relying on NAT as a firewall is very unreliable. Have a look at upnp state table on your router, you might be surprised at things that have poked holes for the whole world to hammer at without you noticing.
UPNP is not enabled by default on my router nor has it been on the last few. I think that was common like 15 years ago before all of the gaming consoles figured out how to do STUN on their own.
