Hello!
ROS 6.47.8
I was forced to factory reset RB750
Now I can access the device via ssh only from the interface specified in the LAN list that appeared as "defconf" after reset and was filled with default bridge only.
I made the initial setup really from the local network and did not notice that there is no ssh access from vpn.
Of course, I can create a prot 22 firewall rule for the desired interface.
But I have a bunch of the same devices that perfectly allow you to access them via ssh without special firewall rules from anywhere except the Internet.
If you add the vpn interface to the LAN list, everything immediately starts working and access via ssh appears.

The question is, where is the ssh server setting that specifies which interfaces to listen on by default?

There isn't one, the SSH server listens on all interfaces.

Default firewall rules have changed over time, currently they include 'drop input not from LAN interface list' which as you have found prevents access via VPN without additional rules or changes to the 'LAN' interface list. An earlier version of the rules had 'drop input from WAN interface list' so any additional interfaces not present in the 'WAN' interface list would just work, and much earlier there were no firewall rules at all.

Just modify any factory default items as necessary for your use case. For your other devices if they have been repeatedly upgraded over time it would be worth reviewing the rules to make sure they offer adequate protection as any improved factory defaults are not applied when an existing device is upgraded.