Things called "security" that don't follow Kerckhoffs's principle aren't security. There are a lot of things adjacent to security, like spam prevention, that sometimes get dumped into the same bucket, but they're not really the same.
Security measures uphold invariants: absent cryptosystem breaks and implementation bugs, nobody is forging a TLS certificate. I need the private key to credibility present my certificate to the public. Hard guarantee, assuming my assumptions hold.
Likewise, if my OS is designed so sandboxed apps can't steal my browser cookies, that's a hard guarantee, modulo bugs. There's an invariant one can specify formally --- and it holds even if the OS source code leaks.
Abuse prevention? DDoS avoidance? Content moderation? EDR? Fuzzy. Best effort. Difficult to verify. That these things are sometimes called security products doesn't erase the distinction between them and systems that make firm guarantees about upholding formal invariants.
HN abuse prevention belongs to the security-adjacent but not real security category. HN's password hashing scheme would fall under the other category.
This is simply not true. At the highest levels, security is about distributing costs between attackers and defenders, with defenders having the goal of raising costs past a threshold where attacks are no longer reasonable expenses for any plausible attacker. Obfuscation, done well, can certainly play a role in that. The Blu-ray BD+ scheme is a great case study on this.
A definition can't be right or wrong. We're using different definitions of the word "security". What would you call the rigorous invariant-based conceptualization I call "security"?