Slaac addressing still has a part of the device identifier generated per device and part of the isp identifier in the address. Not that you are wrong though.
SLAAC should have privacy extensions enabled by default on most modern devices/OS's, which addresses the first part of your statement - and the second part of your statement can only be addressed by using VPN so it's not a valid criticism