Assuming password authentication is disabled, why wouldn't you SSH into your hosts over the open net? Why Tailscale? Why Wireguard?

Great question...the answer is I don't, because I don't have any web hosting servers, or even persistent app servers for that matter. I've built 99% serverless for 10 years now and it has been glorious. Will never go back to managing individual hosts ever again if I can help it.