Security through obscurity is only problematic if that is the only, or a primary, layer of defense. As an incremental layer of deterrence or delay, it is an absolutely valid tactic. (Note, not commenting on whether that is the rationale here.)

This is not security via obscurity; it is reducing your attack surface as much as possible.

Security through obscurity is still better than no obscurity...

hey cofounder here. since it takes my 16 year old neighbors son 15 mins and $100 claude code credits to hack your open source project

They probably lack a sufficient density of people who remember why "security through obscurity" become an infamous concept. It belongs to that family of bad ideas that's superficially appealing, especially if you're still at that stage of your career at which you think past generations were full of idiots and you, alone, have discovered how to do real software development.