Yes. I’ll never forgive IETF for standardizing CGNAT back in 2013. They should have just said “no, deploy IPv6 with a transition technology”.

If that had happened, IPv4 would likely already could be regarded as a relic of the past.

The ietf standardization was irrelevant so I would give them some slack. ISPs were using CGNAT already in a widespread fashion. The ietf just said, “if we’re gonna do this shit, at least stay out of the blocks used by private networks”.

Surely IPv6 makes location spoofing harder, you're not identified by just location anymore but uniquely identified down to the device?

This was solved in 2007 with Privacy Extensions.

It has been a non-existent problem for roughly 20 years now. Why do people still keep pulling out "uniquely identified down to the device" as an argument?

Windows, macOS and most Linux distros by default rotate SLAAC addresses every 24 hours.