There’s quite a lot of programs that make use of XDG_CONFIG, with the default set to .config in most distros. However, there’s also quite a few programs that have rejected this, sticking with a format that is not XDG-conforming.
One such example is OpenSSH, as can be seen in the following page - it makes use of the ~/.ssh directory. Why is that OpenSSH does not conform to this specification? Are there any security vulnerabilities? If so, then shouldn’t there be another specification by Freedesktop.org, which allots a secure directory for the same?
More specifically, XDG is more related to Linux. It was the name of the freedesktop group. OpenSSH is more related to OpenBSD. However, none of that is strictly true - freedesktop/XDG isn’t just about desktop, XDG directories are not completely neglected by OpenBSD and OpenSSH isn’t used by just OpenBSD. dotfiles sprawling is a common problem - so OpenSSH should probably follow it as well.