It’s off by default, but it allows you to turn it on in the advanced settings. Seems like a good compromise, especially since it lets you whitelist clients.

If you were using the router as a secondary network, like for IoT or homelab, it would kind of make sense to allow SSH or other logins from WAN, as long as the WAN was also your network and not the open internet.