Also changing the standard port, if possible
This should be top comment, came here to say the same 
I use SSH to fix the system if my VPN won’t connect.
This right there. Openssh is rock solid.
I personally disable password auth entirely. Only keys, and the keys are either resident FIDO2 keys on a pair of Yubikeys, or a cold backup on a USB drive.
Root login is disabled as well and I have fail2ban setup to quiet the logs.
For public cloud, some people lock it to their public up. I finally got the API working for Oracle to update it when it changes.
Plus WireGuard doesn’t respond without the correct key, while ssh responds even to an incorrect auth attempt.
This, in my opinion, is the right answer to the op’s question.
Thanks for the response.
and arguably more secure
This is the part I’m wondering about - both are using key-based encryption so why is it more secure?
If you want to be fancy you could even setup a custom server program on port 22, and if anything connects to it, it just blocks that IP entirely from the server. You could probably just have it produce a failed login attempt in a log file and let fail2ban handle it.
You see these with VPNs too… no diff in logspam.
TailScale is also a VPN
VPNs can have exploits too. In fact there have been dozens and dozens of CVEs against popular VPN implementations.
Lots of new people here I see, that’s why the downvotes.
I remember in the 90s/early 00s when almost every other server exposed on the internet was exploitable and you could get root access very easily.
VPN doesn’t solve this in any manner. You still have to expose a service, and if you’re in IPv4 and CGNAT, you have the same problem whether it’s PN or SSH.
with weak credentials set and see what happens.
Why?
On most modern distros you need to actually enable password auth for root consciously.
I think these days, public wifi is more of a risk due to evil twin presence
this should be reddit’s tagline, the little bit of text that often follows the logo.
Most redditors haven’t even finished college yet. Not that it automatically means they don’t know what they’re doing, but a large majority of people on reddit aren’t speaking from personal experience. As mentioned, most are just parroting what they’ve read.
I don’t know if I should believe you or if you don’t know what you’re talking about… /s
Am I wrong?
I don’t bother…
When I tried that, I ended up locking myself out. I connected three times too quickly or had issues with my key that resulted in failed attempts.
My SSH is open, keys only… If you can brute-force my key, I’m going to have a LOT bigger issues than my SSH server being compromised…