Well, perhaps what happened was they tripwired which is realistic in a blackbox test. If you'd whitelist an IP range from a pentester, you are on greybox testing area already.

There's another reason to not allow to/from such countries: malware (e.g. phishing).

But what they do instead is use residential proxies or VPS. And I happen to live in a country where they like to rent such.

I have done whitelisting of IPs. But I have a solid ISP who notice me beforehand when my static IPv4 changes, they also provide IPv6. One admin had DHCP, so he was there whitelisted in a CIDR range (on the jumphost). Which is also why I said you need to consider to whitelist a range. When I had the same ISP in different country (Liberty Global daughter) I had a static IP because my router was (at my request) in bridge mode. What you do in PF is IP lists which can be reused (anchors), and something like OPNsense allows to configure such automatically. You can even use dynamic DNS here, having your admin update it should the need arise. Then you do not need some kind of CIDR range.

The thing with all those scanners though is: they wouldn't get in if OpenSSH ran on 22 and Wireguard on 51820. It just reduces the noise in logs.