Security through obscurity is only bad when it’s the only measure used. If proper security is also in place, it is the cherry on top.

For example, while I know that ssh bruteforcing bots won’t enter my server no matter how much they try, putting ssh on a non-standard port reduces the number of tries to zero.