At least for web-browsing and other HTTP/TCP use-cases: Cut off internet from your hosts and use centralized local proxies for all outgoing connections. Presumably you already have reverse proxies in place for the incoming. There is no need for NAT if all the traffic is taken care of in higher layers. This reduces your consideration to the internet-facing forward- and reverse-proxies only.
Sounds like you already have bittorrent figured out via VPN (Wireguard I guess? Well there we have one more UDP exit-point to consider).
BTW, I largely agree with your sentiment: Benefit of (especially migrating to) IPv6/DS for individual networks is often unclear or questionable and metadata privacy is a valid consideration where I believe correct solutions are not readily available and understood even by your well-intentioned and seasoned senior admins. Maybe globally the number of people who will get this right ranges in the 1000s? 10,000s if we're lucky? How many networks do we need to migrate again for "IPv4 to die"?
I guess the only way forward is for more people to do that migration and share their findings and solutions, though ;)
The general ignorance of the privacy benefits of NAT are what I'm reacting against too. It's certainly regrettable that end users are forced into NAT [0], but since then a shameless surveillance industry has cropped up, looking to exploit every bit of identifying information that it can. And it seems that calls for native IPv6 with everything having its own distinct address generally just ignore the practical privacy implications.
It certainly seems possible to get a NAT-equivalent privacy from properly set up SLAAC. Although a sibling comment says that the proposal for variable length prefixes was just submitted this year?!? Equivalent privacy would also require things like consumer VPN providers allowing you to request a few new addresses every few minutes, whereas NAT makes a shared uniform distribution the default.
Using a proxy instead of NAT is a good point, although there are certainly reasons I moved towards managing egress flows at the packet level with VMs rather than configuring software to play nice with proxies. And spiritually I would say that a proxy is an even more heavyweight version of NAT one layer up.
[0] Although I don't personally think the web would have developed any less centralized without NAT as many people like to imagine
At least for web-browsing and other HTTP/TCP use-cases: Cut off internet from your hosts and use centralized local proxies for all outgoing connections. Presumably you already have reverse proxies in place for the incoming. There is no need for NAT if all the traffic is taken care of in higher layers. This reduces your consideration to the internet-facing forward- and reverse-proxies only.
Sounds like you already have bittorrent figured out via VPN (Wireguard I guess? Well there we have one more UDP exit-point to consider).
BTW, I largely agree with your sentiment: Benefit of (especially migrating to) IPv6/DS for individual networks is often unclear or questionable and metadata privacy is a valid consideration where I believe correct solutions are not readily available and understood even by your well-intentioned and seasoned senior admins. Maybe globally the number of people who will get this right ranges in the 1000s? 10,000s if we're lucky? How many networks do we need to migrate again for "IPv4 to die"?
I guess the only way forward is for more people to do that migration and share their findings and solutions, though ;)