"the attacker probably won't do that" is very much part of threat modeling, the #1 step in any serious security design.

In any serious security design, "the attacker probably won't do that" would and should be shot down immediately. If your security strategy is hoping that an attacker will be kind enough to not exploit your open vulnerability, you've already failed at threat modeling and at security.

If an attacker can do it, you must assume they will do it. Because they will. That should be the starting point for any threat model.

"the attacker probably won't intercept the mail and install rootkits on brand new hardware"

"the attacker probably won't read my password through the wall from the radiation off my keyboard"

if your starting point is APT-level adversary then you might as well give up

What brand of locks do you have on your doors at home and does the lockpicking lawyer have a video of going through them in a few seconds?

that's cool man, i'm still going to block the 99.9999% of attackers that don't own my isp. you are conflating "bad idea in extremely exotic scenario" with "counterproductive"; ever heard of defense in depth?