I think they might be targeting cloud providers that expose such endpoints to their clients.

I built clusters using ingress-nginx at my old job and I can guarantee you that not one single endpoint of k8s was accessible outside of NAT.