without-password is synonym for prohibit-password. Older openssh had only the former. The latter sounds more intuitive, while both mean that root cannot login with password.
On installer of EL9 there is an opt-in checkbox, which – if selected – adds a file with PermitRootLogin yes to override the default PermitRootLogin prohibit-password. (On EL9 there is directory /etc/ssh/sshd_config.d/ where one can drop in customizations. The EL8 has a dir only for client customizations: /etc/ssh/ssh_config.d/ )
Do you ssh to your workstation, ever? If not, then you could disable the sshd.service. No process, no vulnerability.