add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6

That ORCHID rule is obsolete, there is a new range 2001:20::/28 as per RFC7343. Use this instead:

I'm not sure about "instead". The old v1 protocol's reservation remains "deprecated" in the IANA IPv6 Special-Purpose Address Registry, so if traffic arrives at my router using an address from that space, continuing to treat it as "bad_ipv6" sounds right to me. Given the nature of IPv6, I think there's an excellent chance it will never be reassigned.

More broadly, should everything marked "Globally Reachable = false" be on the bad_ipv6 list?

I'm uncertain whether putting TEREDO and 6to4 on the defconf list is an over-reach. While there may still be MT sites out there using them, can't we count on native IPv6 access nearly everywhere now? I realize IPv6 isn't universal yet, but if you want IPv6, is there any ongoing reason to choose these old tunneling protocols to get it?