For me the clear threshold for when you've gone too far with SSR is if it needs auth. Just do not go there. So this is not an SSR issue per se, it's poor SSR implementation issue IMO.
I'm not sure why that threshold needs to exist. It shouldn't be any harder for your SSR to check a cookie than it is for your REST API to check a cookie. There are some benefits of SSR that don't apply to pages with private content, namely being able to cache the HTML response in a CDN and (arguably) being treated better by search engine crawlers, but many of the benefits of SSR apply just as well to private content.
