Risk of running services on ports >1024

Services running on ports < 1024 (at least on *nix servers) are generally considered to be more secure, because they require root (or a trusted user that has root privileges) to start them - whereas services running on ports >= 1024 could be run by an untrusted (possibly rogue) user on the server.

So, it is plausible that an attack like the one described in the reddit post that you copied could be pulled off by a malicious user on the server, without root privileges.

With regard to "1.The rogue process cannot access the host keys, so would present a different fingerprint to the user when connecting, alerting them to an issue.": This is true - if a user had logged into the server previously, and his SSH client pinned the server's public key. In this case, the user's SSH client would (presumably) warn him that the server's public key has changed, and the user would (presumably) know that something's up. But, the user would only be warned if he had logged into the server previously and his client pinned the server's public key.

With regard to "2.If key based authentication is in use, little can be gained from intercepting communications.": I'm skeptical about this. The user's SSH client would send its public key, as usual during the start of an SSH session, then the rogue SSH server could simply authenticate the client (as is normally the case when the client's public key is present in the server's authorized_keys file) and proceed with the session using the public key that the client sent.