I don’t really know how to answer that.
I can entirely empathise: I haven't a clue how to answer yours but will try
The RDP issue: shouldn't be using RDP across the Interwebs but if you were why not destination NAT on outside for port 3389 mapping 3389 to one machine, 3390 to 3389 on another, 3391, etc, or better yet 33389 for first one to make port scanning more dull for nosey folks?
Peer to peer apps: are you familiar with Napster, KaZaA, eDonkey, etc? We've moved towards centralising compute, storage, etc, for efficiency but for other things we certainly have peer to peer - play games online and in many cases they're peer to peer or one of the players hosts. Been knocking around since the dialup days. With dynamic IP addresses have to have lobbies anyway, these can easily be used to punch holes in NAT.
Firewalls are required for the same reason most of us have to lock our doors at night. The default deny at the end of them is essential. Sad as it is they are necessary. Without them we'd all be at the mercy of bad actors. The default deny at the end means my big router's ruleset is this, and 2 of them direct the system to hardware offload and fasttrack, not allow/deny, one is cosmetic:
[admin@MikroTik] /ip/firewall/filter> print
Flags: X - disabled, I - invalid; D - dynamic
0 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough
1 chain=forward action=fasttrack-connection hw-offload=yes in-interface-list=LANs log=no log-prefix=""
2 chain=forward action=fasttrack-connection hw-offload=yes connection-state=established,related in-interface=SFP3-YouFibre1 log=no log-prefix=""
3 chain=forward action=accept in-interface-list=LANs log=no log-prefix=""
4 chain=forward action=accept connection-state=established,related in-interface=SFP3-YouFibre1 log=no log-prefix=""
5 chain=input action=accept in-interface-list=LANs log=no log-prefix=""
6 chain=input action=accept protocol=icmp in-interface=SFP3-YouFibre1 log=no log-prefix=""
7 chain=input action=accept connection-state=established,related,untracked in-interface=SFP3-YouFibre1 log=no log-prefix=""
8 chain=input action=accept in-interface=ether13-RTR-Mgmt log=no log-prefix=""
[admin@MikroTik] /ip/firewall/nat> print
Flags: X - disabled, I - invalid; D - dynamic
0 chain=srcnat action=masquerade out-interface=SFP3-YouFibre1 log=no log-prefix=""
DDoS protection of a good standard is reactive, context-sensitive, controllable and relevant. I'll find you a picture of the controls I have on my lab here, though this is enterprise grade, not whatever is found in regular home equipment which is, frankly, worthless. DDoS protection at home is a nice placebo but doesn't actually do anything.
Don't think it should be deep in the network: it should be as close as possible to the Internet-facing edge so that you don't waste capacity transporting junk into your core. Ideally the junk doesn't touch the network at all: systems that detect DDoS based on telemetry and then have the network stop advertising those prefixes and have a specific screening service take over are pretty cool.