Re: “incorrectly believed those tokens were unused”
Key management can be a complex issue. Imagine an SSH client key gets compromised, or retired, or otherwise invalidated: are you sufficiently on top of your machine inventory to be able to go through every authorized_keys file to be sure that key has been scrubbed from all of them?
Remember, it’s not just real machines, but virtual ones and containers as well.