Changing a port and enabling aslr are not "a lot of effort".

Changing the port is not the kind of security measure that will consume a lot of the attacker resources

Sure, it'll do nothing to stop a determined attacker, but it does wonders to stop the noise from passive scanners.

Are you familiar with the Swiss cheese model of risk management[0]? Obscurity is just another slice of Swiss cheese. It's not your only security measure. You still use all the other measures.

[0] https://en.wikipedia.org/wiki/Swiss_cheese_model

It will conserve a lot of defender resources, it will completely bypass all mass scans, and it will make "determined attackers" much more visible as they will have to find the port first which will show up in logs and potentially land them in a tarpit.

What would be "actual security" in this context?

This isn't about security of the same kind as authentication/encryption etc where security by obscurity is a bad idea. This is an effort where obscurity is almost the only idea there is, and where even a marginal increase in difficulty for tampering/inspecting/exploiting is well worth it.

The one not described as "security through obscurity".

My point is: the "security through obscurity is bad" and "security through obscurity isn't real security" are both incorrect.

They apply to different threats and different contexts. When you have code running in the attackers' system, in normal privilege so they can pick it apart, then obscurity is basically all you have. So the only question to answer is: do you want a quick form of security through obscurity, or do you not? If it delivers tangible benefits that outweigh the costs, then why would you not?

What one is aiming for here is just slowing an annoying down an attacker. Because it's the best you can do.

Somehow your approach was not chosen by Intel ME or AMD PSP, and they remain unbreakable.

That's orthogonal to this. That requires special hardware and using those doesn't really rule this out as an additional measure.