The blog post explicitly addresses this, but you don’t seem to interact with its point. We have evidence that smash and grab attacks exist, and since they affect more people, you’re more likely to get screwed by something like the recent eslint-scope thing than a targeted attack where the attacker does shit to your .profile.

That said; yes: you should have long-held auth on a hardware token and then use an SSH CA for temporary auth.