Starting from the most interesting info - another Comcast customer contacted me, lets call him CCB, and the first Comcast customer I mentioned previously will be CCA. CCB claims he had to disable some settings - probably "Advanced Security" - in his Comcast router, because before doing so, nobody was able to connect to his lightning node via IPv4 (clearnet, not tor).  He claims to have done this back in July or August. We tested just today, and both sides were able to successfully initiate TCP connection, no blocking here. Importantly, at the same time I was not able to connect to CCA - timeout.

Chronology of tests, all times are in CEST.
around 18:00 yesterday - I started tor relay (non-exit, ExitPolicy reject *:*)
22:09 - it appeared as online on https://metrics.torproject.org/ . Started testing connection to CCA, using "socat -dd - TCP4:<CCA_ADDR>:<CCA_lightning_port>" every 5 minutes. Connected successfully. 
07:07 - last successful connection to CCA
07:12 - first unsuccessful connection to CCA - timeout; all subsequent tests with CCA end with timeout
08:10 - stopped tor relay
13:09 - 13:14 - tests with CCB - both sides can connect
17:54 - still cannot connect to CCA
18:19 - connected to CCA from my mobile phone connection (so from another IP, which is not blacklisted, so we see CCA is not offline)
18:55 - still cannot connect to CCA

So port forwarding must be correct on CCA, or I would not be able to connect. 

Now I think the blocking is real, probably on by default, but Comcast customers can opt-out. 

Doubts / weaknesses of tests and theory:

Any volunteer Comcast customers for further testing? Preferably without lightning nodes, because I'd like to test with this "Adv. security" active, and it may interfere with lightning node  (or any other use-case which needs high uptime).

If my theory is correct, Comcast is slightly less evil than my very first post would suggest. Still evil, because this blocking has little to do with security - maybe blocking exit relays makes some sense, they can be misused to attacks, DDoS etc. But according to Comcast, merely running tor relay makes you a threat. And this so-called security is probably on by default (according to CCB) and "There are definitely popups all over the place telling me to turn it on". So it is probably not apparent that this setting blocks (some? most?) tor relays completely.