It really depends on the situation. For a mature, mass-produced product going into sensitive places, sure, disable it before it goes into the field. Same for very security-focused hardware.
But most of the "pizza-box-shaped" things I've worked on in telecom have jtag enabled even when in the field. I've never thought about it much, but to actually get to a jtag interface requires a level of physical access that would be far-fetched unless you're talking about "James-Bond-level" bad actors or "inside-job" people who are already entrusted with an enormous amount of privileges anyway.
JTAG is super useful for troubleshooting and in general, for things that aren't throw aways and that can be repaired, re-calibrated, or re-configured, it makes sense to keep it available.
But most of the "pizza-box-shaped" things I've worked on in telecom have jtag enabled even when in the field. I've never thought about it much, but to actually get to a jtag interface requires a level of physical access that would be far-fetched unless you're talking about "James-Bond-level" bad actors or "inside-job" people who are already entrusted with an enormous amount of privileges anyway.
JTAG is super useful for troubleshooting and in general, for things that aren't throw aways and that can be repaired, re-calibrated, or re-configured, it makes sense to keep it available.