I'm not suggesting the cryptography is broken, but having an ongoing SSH root tunnel exposes unnecessary attack vectors. Terrapin was just the recent one, and I'm in favor to not have my ssh in the open at all.

Yes you can FW restrict the access to specific ip ranges, but then you're back into the configuration and security overhead you intended to avoid in the first place.

Read my summary, I think it's a valid option, but I wouldn't want this for my production routing node running for 4 years 24/7