Steam can and does routinely add firewall rules for games, there is no notification, no ability to turn it off, no UAC prompt (so isnt escalated).
An app called windows firewall control which I use the developer recognised the issue and it has a feature where rules not added by WFC itself will be either automatically disabled or automatically deleted depending on the behaviour you select. This is how I found out what steam was doing.
So I expect its trivial for malware to modify windows firewall rules.
The IPv6 Xbox issue, I'm not a fan of the privacy nonsense features implemented in IPv6, auditing and accountability should always be a priority over that, and the Xbox implementation of IPv6 sadly is just poor. Even a locked down mobile phone gives you more control then that. If I really wanted my XBOX to be locked to one ip, I would give it a VLAN to itself with only one ip that can be allocated.