I’m not sure what the security benefits of privileged ports is. Any user can run RDP, OpenVPN/Wireguard, LDAP, and a bunch of other protocols on their standard ports, but thank god they can’t run FTP or HTTP servers! IMAP servers sure are dangerous, but SIP servers should be available to any user for security purposes of course. KDE Connect will open fifty ports for SSH servers, but the important thing is that none of those ports is 22 so all is well.

macOS abolished them a while ago and I don’t believe macs and iPhones are getting hacked left, right, and center. The security benefit is there for systems shared by many users, preventing a standard user from impersonating operating system services. There are a few shared hosts with terminal access that still need these protections, but my phone doesn’t.

As for the firewall: if you have NAT enabled on a consumer router, your firewall is essentially open the moment any device on your network runs external code, i.e. any app. Some consumer hardware can even be tricked by regular WebRTC/HTTP traffic, though that’s harder to pull off; those mechanisms only allow incoming traffic to any local port of an attacker’s choosing, not to any port on any device in your network. Thank NAT ALGs and NAT slipstreaming for that; it’s as if UPnP never went away!

I suppose you could run your own NAT without any ALGs and just not use protocols like passive FTP or SIP, but that would require a custom setup like an OpenWRT router or something of that nature.