You can use Service Portal to be externally facing, it is just supposed to be used to only view tickets that the end user has raised, not all tickets for their company.

Viewing tickets on that scale is supposed to be done in the fulfiller interface as a licensed user.

Providing view only access to incidents does not violate the fulfiller license. This was verified with SN before we took this approach. Users who do not have any ITIL role can view any incident, create their own incidents, or comment on incidents which they raised. If users do any other updates to incidents with which they were not the caller/ opener then they need a license. Portals do not have to be externally facing only. They can be created to serve any purpose your organization requires. Also to do what is asked you cannot simply use ACLS as the before query will prevent the records from being retrieved from the database in the first place. As a side note we have done this with over a 250k+ user base and 1m+ incidents with no ill side effects or unexpected outcomes.

I will agree though if there is ever a question about licensing restrictions etc it's best just to verify with your account manager. Always good to CYA.

Yeah, it definitely doesn't violate fulfiller, but may violate the intent of a requestor (just in case this impacts un-roled users). It's always good to check as situations can differ.

For example, we wanted to provide view-only access to an entire ITIL table from a CreateNow license and were told we weren't allowed to do that. If an unroled user can, surely a CreateNow user should be able to - but we were told it violated the intent, and the CreateNow user would have to be ITIL licensed too.
That was years ago though - if we asked the question now, maybe we would get a different answer.