Yes but best practices still apply for example client networks in office do not by default have access to network equipment.
This is where VPN services like Junos (ironically Juniper) work well because they give you 2FA and group based access. So if you're not in the networking admins group then you have no reason to have SSH access to the networking equipment.
The weakest application in your server farm can provide a way into the local network. One of the reasons Amazon uses their own software-defined network switches is so they can limit internal connectivity within their "cloud" to prevent such attack escalation.
This is where VPN services like Junos (ironically Juniper) work well because they give you 2FA and group based access. So if you're not in the networking admins group then you have no reason to have SSH access to the networking equipment.