I absolutely agree with your. It can makes sence the disable it for access control, loging, auditing, etc. .
But when you look online or just in the comment section here lots of ppl actually recommend it as a security meassure against attackers. “Need to brute force the username as well”