I'm sorry, you've misconstrued the question. The context is the privacy extension to IPv6 under RFC 4941. So, my question was would ISPs need to do NAT in order to provide that extension -- I only skimmed the RFC but there was no other obvious way to me for it to be provided that wouldn't fall to an adversarial ISP because it appears they must do NAT to make that work?
AIUI ISPs provide a fixed prefix to customers. So I'd need to look how SLAAC would work if it uses a random IPv6 address; surely your ISP only has allowance to use a limited set of numbers that are allocated to them by IANA or whoever.
They they don't need NAT that is simply called routing. The ISP sends every packet that is in your assigned /64 to your routers IP address. It's called prefix delegation [0]
Yes they get a /32 by default (at least in RIPE) larger allocations need justification. But there are 2^32 /64 subnets in a /32 so every ISP gets a complete IPv4 internet of /64 they can assign to their customers at will. Your devices assigns itself a random IP address from that /64 network your ISP gave you via prefix delegation.
AIUI ISPs provide a fixed prefix to customers. So I'd need to look how SLAAC would work if it uses a random IPv6 address; surely your ISP only has allowance to use a limited set of numbers that are allocated to them by IANA or whoever.