Brute forcing SSH usually works when folks have a weak password (and humans are very bad at picking secure passwords).
If you prevent the use of passwords in favour of only allowing public/private key pairs (default in /etc/ssh/sshd_config). If you install an IDS like Fail2Ban then it's safe to open port 22 to the public internet.
You should also read https://www.raspberrypi.org/documentati ... ecurity.md
and follow the advice published there.
Fail2ban on my system has blocked 159 potential attackers since 17th November 2019. That machine has been open to the public internet since 2014 (when it replaced my old Viglen server).