I had been out of the loop lately and had not seen port knocker. it’s a good idea.
I suggested a year ago in my organization that we build a dynamic DNS server. Clients would run the DDNS client. The firewall would then only accept IP traffic from users authenticated on the DDNS platform.
It would stop the drive by hackers dead in their tracks. Securing against a person specifically trying to hack you such as an employee or a customer is a different requirement and a risk most accept for the convenience of remotes access.