I usually hear "but it's security by obscurity" argument from people who are not involved in security in a professional way. If you need to protect a high-value target, confusing the attacker is a must. It's also reflected in various security standards and guidelines (See e.g. SP-800 171-B, 3.13.2e: Disrupt the attack surface of organizational systems and system components through unpredictability, moving target defense, or non-persistence. )