I think the most productive way to look at it that for NAT/NAPT/cone NAT to work, a necessary prerequisite is a default-deny inbound firewall policy and stateful connection tracking.

Once you have that, layering on NAT is possible. But the security implications were already addressed before you get to that point.