I edited my comment to better and more fully reflect my thoughts. It’s hard to properly express myself when I’ve been as sick as I have been with bronchitis and possible pneumonia for the past 4 weeks.
Hopefully my comment now better reflects my thoughts.
Because it’s easy to accidentally run services or set up services temporarily and forget that you left them running. With UPnP being able to automatically/dynamically open ports, a firewall is just another layer of protection. You can also configure firewalls to ignore packets silently or log dropped packets, and if applications ever get new versions and end up listening on new ports, you would have to manually allow the ports. Maybe you want to have one part of an application accessible through the firewall but not another part of the application.
Plus, like you said, country blocking is another feature which personally I think is nice to have, and there are also other features too like being able to throttle connections, especially with things like fail2ban.
It’s just another layer of protection, and it ensures that everything you run is deliberate.