I think I interpret the phrase "don't roll your own crypto" as expanding out to something like "don't roll your own crypto unless you're willing and able to prioritize solving any vulnerabilities that people report to you". Someone who is porting a well-regarded cryptography codebase by carefully going through all of the relevant code and matching all of its intentional behavior has a credible claim they're part of the exception.
People who have put in the time to learn the common failure modes of cryptography attempts and how to solve them could make the claim they're in the exception to some degree. Someone who can't imagine how they would begin evaluating a report about something like "ciphertext malleability" shouldn't.
I mean fair enough I suppose? I've always gone with the idea that "don't roll your own crypto" meant not implementing cryptographic building blocks. Which is reasonable and fair. I just take issue with it being something you'd apply to all crypto code.
I don't care if you write crypto code. I never said I cared if you write crypto code. But don't:
1. Deploy your code
2. Publish your code in a package ecosystem
3. Encourage other people to use your code
...unless it's survived the gauntlet of peer review and has a good rationale for existing in the first place.
The reason I proposed an onion model for this discourse is that there isn't a binary switch where "if you do X you are rolling your own crypto but if you do Y you aren't rolling your own crypto". The deeper you slice, the more danger and responsibility you've incurred.
People who think "it's fine to build a custom protocol out of cryptography bricks because I'm not rolling my own bricks" are the highest risk group in software developers. Even moreso because (as tptacek constantly points out) most vulnerabilities occur at the joinery.
People who have put in the time to learn the common failure modes of cryptography attempts and how to solve them could make the claim they're in the exception to some degree. Someone who can't imagine how they would begin evaluating a report about something like "ciphertext malleability" shouldn't.