If you have a rogue application on a home LAN that opens ports by UPnP without your agreement, you already have way bigger problems than UPnP because that rogue app can breach the perimeter already without opening any ports. (Also, some routers can limit UPnP allowance to specific devices - mine can). The first step to security is knowing what the threats and mitigations are. But yeah let’s leave it at that 
I have a static IPv4 address and it works without issues. However, a static one is not necessary and a dynamic public IPv4 also works, as long as it is a proper IPv4 that can be port forwarded. (I.e. not CG-NAT). Though I guess it depends on how often the ISP actually changes the dynamic IP in practice.
On the other hand, since Roon 2.0.16 with the May 8 update it should also work with IPv6, at least on many ISPs. But I never played with that, so no idea: