Neither of them prevent inbound connections, on their own or together.
I don't really think that "inbound connections work fine and you're basically just praying that the people that can do them simply won't" counts as being secure, but I'll admit that using RFC1918 does limit the set of people that can do them. If you made that your argument, you'd have more of a point than an argument based around NAT.
Okay! I didn't say it was absolutely secure. A firewall is obviously preferred. I'm just saying it's shades of gray... non-routeable addresses provides a level of security.
