IPv6 RAs always include on-link prefix; clients may not use DHCPv6 managed addresses
pfSense IPv6 RA support in 2.3.1-x correctly includes the 'M' (Managed) bit in its advertisements.
By contrast, Cisco IOS supports an explicit "ipv6 nd prefix default non-advertise" configuration to prevent this.
However, pfSense always includes the on-link prefix in these advertisements, even if the "Router mode" in Services -> DHCPv6 Server & RA -> LAN -> Router Advertisements is set to "Managed".
This causes Mac OS X clients to (inappropriately) use SLAAC & privacy addresses by default, unless temporary addresses are explicitly disabled system-wide using sysctl (as per FreeBSD).
Linux and Windows do not exhibit this issue and use the DHCPv6 statefully-managed address by default -- which is the desired behaviour in this configuration. (It's an office, PCI DSS is in play, and we need to at least track who initiated communication to the outside world, even if we don't act as a man-in-the-middle.)
There appears to be no option to disable advertising the on-link prefix.