Due to its large address space, IPv6 remains a challenge for Internet measurements. Thus, IPv6 scans often resort to hitlists that, however, mainly cover core Internet infrastructure and servers. Contrarily, a recent approach to source addresses leveraging NTP servers promises to discover more user-related hosts. Yet, an in-depth analysis of hosts found by this approach is missing and its impact remains unclear. In this paper, we close this gap by sourcing client IPv6 addresses from our NTP Pool servers and scanning related hosts. We get 3040325302 IPv6 addresses, unveiling 283867 deployments of consumer products underrepresented in a state-of-the-art hitlist, only leading to 37858 finds. Security-wise, we find that only 28.4% of 73975 NTP-sourced SSH and IoT-related hosts appear to be securely configured, compared to 43.5% of 854704 hosts in the hitlist, revealing previously underestimated security issues. Last, we switch sides and identify first (covert) actors adopting NTP-based address sourcing in their scanning.