Better call up cloudflare and tell them no one wants their business now all the network engineers are as competent and equipped to deal with threats as they are.
Cloudflare's main business is being a CDN that can soak hundreds of gbps in bandwidth of DDoS traffic. Nothing to do with competence, though in your other comments you suggested that plugging things into different switch ports would give them new IPs and make things publicly routable so perhaps you're right to keep using Cloudflare.
and how do you enforce using that firewall rule on tens of thousands of devices, each now with several public and private ips and several thousand routes in and out of the network?
A stateful firewall is prerequisite for NAT implementations commonly deployed in most office and consumer settings due to the session tracking requirement. So you just stop doing the NAT part and the firewall continues to deny untracked ingress connections just like it did when NAT was running.
NAT is only needed if you want to transition from a private network to a public one.
ipv6 still needs nat configuring. nothing changes there.
The only thing that changes from a network administrator perspective is it becomes much harder to ensure devices that should only have a private ip address do not have a public one.
