Biggest problem with SSHFS RR is the trustworthiness of DNS to deliver the answer record.
Most everything do not enforce their DNS resolver to only return the DNSSEC-verified Answer RR.
Not that problem at all if you set the resolver to return only the DNSSEC-verified answer RRs; then again, most common websites would then stop working simply because they don’t use or have a proper setup of their DNSSEC overhead.
Most implementation of distribution of the SSH public keys are delivered under cover of TLS, IPSec, or variants of secured tunneling just because … because it IS A metadata.
Most everything do not enforce their DNS resolver to only return the DNSSEC-verified Answer RR.
Not that problem at all if you set the resolver to return only the DNSSEC-verified answer RRs; then again, most common websites would then stop working simply because they don’t use or have a proper setup of their DNSSEC overhead.
Most implementation of distribution of the SSH public keys are delivered under cover of TLS, IPSec, or variants of secured tunneling just because … because it IS A metadata.