I think it has less to do with the existence of non-consensual porn as with the possibility and, indeed, existence of vast amounts of consensual porn. Consent is very much possible in adult porn, it isn’t with CSAM. It’s also possible with soldiers, though of course conscription exists and ask a random Ukrainian they’d rather not have to be a soldier for their loved ones to be protected.

If someone finds a 0day in your SSH server and goes on drive-by attacking the whole internet you’re toast.

Already moving off port 22 reduces much of the risk, essentially reducing the attack surface for drive-by attacks to zero while still being susceptible to targeted attacks – that is, still susceptible to attackers bothering to scan the whole range. Anything that makes you unscannable (VPN, portknockd, doesn’t matter) mitigates that. Even state-level actors would have to be quite determined to get through that one.

Yes it’s security through obscurity. Yes it’s a good idea: There’s a difference between hiding your unlocked front door and hiding your military-grade front door lock, one of them is silly the other isn’t.