suppose your wan ip=111.111.111.111
A new packet with destination address 111.111.111.111 dest-port 1234 enters WAN interface.
Option1
Without matching dNAT rule, no dNAT takes place. This makes the ER WAN interface the destination , and the WAN_LOCAL firewall ruleset is used to filter the packet.
Option2
With matching dNAT rule, destination IP is translated into internal IP 192.168.0.100. This is not an local IP address of the ER, so the ER will use WAN_IN firewall ruleset (if applied). So this dNAT rule itself is already a sort of filter.
Now the hypothetical case....of a new packet with destination address 192.168.0.100 entering the WAN interface. (of course, such a packet will never make it to you on the internet)
There is no dNAT for that address (dNAT rules use the 111.111.111.111 address), so normal routing takes place. 192.168.0.100 is on LAN, not the ER itself, so the packet is filtered by WAN_IN. If no WAN_IN is in place, the packet is free to go
