OpenSSH now prefers the ChaCha20 cipher over AES. In theory that's a good thing as it requires less CPU cycles. The problem is that many modern systems have AES offloading, meaning that AES is still the fastest choice. Even when it is about the same speed, using dedicated hardware means that we free up the CPU for other things.
We need to have a look at this and do some testing. We probably need to have some detection logic in OpenSSH or tlclient to dynamically pick the best option based on what hardware is present.
If it's good enough for everyone else using OpenSSH then it is good enough for us. We'll trust that upstream is doing what is best here. If we see performance problems with OpenSSH then we can revisit this.