That is a good idea. My example is for people that expose ssh/sftp on purpose such as a public SFTP server for sharing who knows what.

be sure to add iptables to drop packets if there's no back and forth exchange of data, then you're good2go as fake/wrong keys don't use resources to determine if a key is legit or not. not that big of a deal and wg just doesn't reply anyways

And good choice on the wireguard only, only issue I had is devops/testing things and not being connected to the wireguard because I'd be connected to another wireguard and couldn't ssh in to the server.

WireGuard _all_ of the things