I ended up opening a ticket with TAC to ask this question.  Basically, you do have to enable those features individually, and snooping by itself is used to building the binding table used by the other features.  Here is the config I ended up using, which enables a bunch of layer-2 security features for both IPv4 and IPv6:

Configuration:

Global:

ip dhcp snooping vlan 10
no ip dhcp snooping information option
ip dhcp snooping
ipv6 nd raguard policy kyle-raguard
 device-role host
ipv6 snooping policy kyle-ipv6-snooping
 data-glean
ipv6 nd inspection policy kyle-ndinspection
 drop-unsecure
 device-role host
ipv6 neighbor tracking
ipv6 source-guard policy kyle-ipv6-source-guard
 permit link-local
 deny global-autoconf
ipv6 dhcp guard policy kyle-dhcp6guard
 device-role client

Trusted port/uplink:

ip dhcp snooping trust

Regular user port:

 ip arp inspection limit rate 15 burst interval 10
 ipv6 nd raguard attach-policy kyle-raguard
 ipv6 snooping attach-policy kyle-ipv6-snooping
 ipv6 nd inspection attach-policy kyle-ndinspection
 ipv6 source-guard attach-policy kyle-ipv6-source-guard
 ipv6 dhcp guard attach-policy kyle-dhcp6guard
 storm-control broadcast level pps 1k
 ip verify source
 ip dhcp snooping limit rate 10