They are talking about command= option in authorized_keys file, not "public keys". And there are no tricks or other way to obfuscate it, looking at the authorized_keys file, it stands out very clearly, as one sees english words instead of random hex.

The first paragraph claims (I've not tried it) that the same trick works in ~/.ssh/id_*.pub.

it lies, as neither ssh nor sshd does not care about .pub file at all. This file is written by ssh-keygen and only exists to make it easier to create authorized_keys.

I suppose one can put evil command into .pub file and wait until user does "cp id_foo.pub authorized_keys" without examining contents of either file. But that does not happen often at all (how often do you setup new machine?), and it is defeated trivially by checking authorized_keys file after you update it, something which is always a good idea anyway.