Home routers are stateful devices. In IPv4 this means an internal device opens an internet bound session and the home router tracks that session, comes up with a NAT mapping, and allows the session bidirectionally until it is closed or times out. In IPv6 this means an internal devices opens an internet bound session and the home router tracks that session and allows the session bidirectionally until it is closed or times out. The only difference between the two is whether translation occurs, not whether inbound traffic is allowed.
In regards to inbound the differences (again, for home) are simply whether there is a static translation and implied allow to inbound initiate or whether there is just a static inbound allow.
In IPv4 just relying on NAT and not statefulness is incorrect, any packet that hits your router's external address with an internal destination will just route through. This failure scenario is a bit worse in IPv6 though as it's a lot harder to get a private IP destination very far over the IPv4 internet whereas in IPv6 these are all public. On the other hand you pretty much have to know the IPv6 address you're trying to reach beforehand anyways which means you're either physically attacking (i.e. bigger problems) or the client reached out to you already which limits the scope quite a bit. Either way it's still not secure to just rely on NAT.
In regards to inbound the differences (again, for home) are simply whether there is a static translation and implied allow to inbound initiate or whether there is just a static inbound allow.
In IPv4 just relying on NAT and not statefulness is incorrect, any packet that hits your router's external address with an internal destination will just route through. This failure scenario is a bit worse in IPv6 though as it's a lot harder to get a private IP destination very far over the IPv4 internet whereas in IPv6 these are all public. On the other hand you pretty much have to know the IPv6 address you're trying to reach beforehand anyways which means you're either physically attacking (i.e. bigger problems) or the client reached out to you already which limits the scope quite a bit. Either way it's still not secure to just rely on NAT.