allowing zlib compresison is a server side risk.

delaying compression until the user is authenticated reduces
the server side risk.

i don't see why the code should change.

if it's a problem, then only in the documentation:

Specifies whether compression is allowed, or delayed until the
user has authenticated successfully. The argument must be
``yes'', ``delayed'', or ``no''. The default is ``delayed''.

openssh-unix-dev mailing list