My ISP has done native IPv6 for years. I'd been ignoring it for roughly as long, because IPv4 and NAT worked, and "works" is the enemy of "let's spend a Sunday on this". This weekend I finally turned it on, mostly out of guilt at writing about networking whilst running a stack from 1998.
The router side was easier than the folklore suggests. The ISP hands out a /56 by DHCPv6 prefix delegation, so the WAN interface does a DHCPv6-PD request, gets the delegated prefix, and the router then carves /64s out of it for each internal interface and advertises them with router advertisements. Within a couple of minutes every device on the LAN had a globally routable address, which after years of NAT feels faintly illicit. My laptop, my phone, the thermostat, all of them holding a public address. ping6 ipv6.google.com answered on the first go and I sat there more pleased than the occasion warranted.
Then the part that always gets people. With NAT, your firewall is doing double duty: nothing inbound reaches a LAN host unless you forward a port, so a sloppy firewall still hides everything by accident. IPv6 has no NAT and every device is directly reachable, so the firewall is now the only thing standing between the open internet and that thermostat's questionable firmware. The default inbound policy has to be drop, with explicit allows, and you have to mean it. I checked mine, found ICMPv6 needed to stay permitted (don't blanket-block it, you'll break path MTU discovery and spend an evening confused), and tightened the rest.
The other wrinkle was that the delegated prefix isn't guaranteed stable. My ISP doesn't promise the same /56 across a reconnect, which means any firewall rule or DNS record I pin to a literal address could break the next time the line bounces. For now I've leaned on the firewall being prefix-agnostic (allow by interface and service, not by address) and accepted that internal AAAA records may need regenerating if the prefix ever changes. A proper answer is dynamic DNS that tracks the delegation, which is a job for another weekend.
I also turned on privacy extensions on the clients, so outbound connections use a rotating temporary address rather than one derived from the MAC. Without that, every site you visit gets a stable per-device identifier baked into the lower half of your address, which rather undoes the point of having a firewall in front of everything. Most modern operating systems do this by default now, but it's worth confirming with ip -6 addr that the address you're actually sending from is the temporary one and not the stable EUI-64.
So: native IPv6 at home, eighteen months after I could have had it, and the sky did not fall. The prefix delegation just worked, the firewall needed actual thought, and the lesson is the dull one again. v6 isn't hard, it's different, and the danger is carrying over a v4 mental model where NAT was quietly doing your security homework for you. Turn it on, then go and check your inbound rules before you tell anyone you did.