> Port knocking is mostly a bad idea

Hard disagree... there can be other valid perspectives.

> If you don't consider it a security control

I think it can be a security control depending on who/what you are trying to secure it from.

Can network operators along the route of your packets see what you're doing? Sure. But if you are only protecting against mass scanning or individual threat actors, they won't have access to that information.

wouldnt it be easier and more secure to just hide sshd behind vpn?