alt Hacker NewsI thought this was a problem too. Then I realized that addresses are not in short supply, so I stopped caring that some devices get multiple addresses. The ones I care about are handed out over DHCPv6, and the firewall works accordingly. The rest gets basic connectivity and nothing else.
Works great for me.
Don't you have problems with clients using the wrong source address and not matching firewall rules?