Similar IPv6 misunderstandings have been debunked several times in the past, but I'll give it another go.
What exactly leaks via an IP address? Say I access google.com. My v6 address changes randomly every day or so, but say the clever analytics makes the sane assumption that the /64 is (one LAN at) our organization. Traffic is also TLS encrypted, so its just garbage on the wire. On top of that, hiding the origin ISP and adding another encryption layer is relatively easy by using a VPN. This is much the same security profile as v4.
Randomly generated privacy IPv6 addresses are the default in many stacks, so don't get too anxious about the other methods. MAC address is an already unique-ish identifier available to the networking stack. What else is reasonable to use as a global identifier? An address based on that in a /64 has an extremely small probability of collision. Personally, I'm not super worried about it as an identifier, here's mine: 00-24-1D-1C-D1-0D. Outside my layer 2 network, MAC address is not an easy identifier to retrieve, compared to browser sessions and ad identifiers.
NAT has never been a security feature. You can have a NAT that redirects all IP packets unconditionally to one client, it just rewrites addresses. A firewall defaulting to deny is an entirely separate feature. I don't want a NAT on my IPv6 connection, that just slows it down. Firewall yes, NAT no.
IPv6 address space is large enough for all kinds of experiments. If you want to develop a method for a different address per request, go ahead. I am skeptical of the utility when the smart trackers will look at your v6 prefix, and very smart trackers use browser cookies and not IP address.
If you don't want a host public at all, don't give it a route to the Internet and/or firewall it. If you want to appear from a different service provider, get a VPN.