There's no minimum subnet size.

/64 acts as a soft limit due to the prevalence of SLAAC. Which is good in a way, since it means ISPs have to give out at least /64, which means you're always able to subnet (although you can't use SLAAC and must use static addresses or DHCP) unlike IPv4 where you have to pay for extra addresses.

Yes, you can't use SLAAC feature, but there's no subnetting limit in IPv6. Any subnet size works.

Writing to you from /72.

You're technically correct, but ISPs best practice is to hand out a /64.

The purpose of SLAAC intends to have many customers in one /64 network though.

No, just many devices.

You can DoS your whole subnet by pretending to be a billion devices. In IPv4 you can do it by occupying all the IP addresses. Therefore putting several customers on one network is a bad idea, just like in IPv4.

The purpose of SLAAC is to make it "easy" for a client to get onto the network without something like a DHCP server tracking addresses. If you set it up, it generally just works.

Previously it worked by putting the MAC address in the last 64 bits.

Yes, that was before privacy extensions. It hasn't been like that (in most implementations) for a very long time.

And you get no privacy if /64 prefix is a stable identifier of one customer.

This doesn't seem like an IPv6-specific issue. For most broadband customers, your external IPv4 address is also generally stable. Mine hasn't changed in years.