Wireguard doesn’t send anything back if the key is not correct.
Because of this, Tailscale port swapping is inconsequential vs wireguard here.
Tailscale transfers trust of your VPN subnet to a third party, which is a real security concern.
I agree SSH service will be attacked if they are plainly exposed, out of date and allow login challenges.
Also agree that under or misconfiguration is a massive cause for security issues.
Arch ftw