I’ve had this argument so many times over the years, and usually the response comes down to security by obscurity because people won’t know the non-root username
That I guess is relevant in the context of brute-force login, which given you only use key with, is not really something I would stress over. However, depending on what that user does, there might be vulnerable services running with its privileges, or there might be supply-chain vectors for tools that user runs.