Without reading the article, my first take is that no, it should be our right to opt-in. That is, it should be the default to be opted out, and only explicit permission ever opts you in.

I’ve found great success using a hardened ssh config with a limited set of supported Cyphers/MACs/KexAlgorithms. Nothing ever gets far enough to even trigger fail2ban. Then of course it’s key only login from there.