WordPress “Site Health Status” trust it or myself for its security advice?

I’m using WordPress to host a few sites. Lately it includes this feature called Site Health Status. This information has in part been valuable, but it also itches me the wrong way somehow that I can’t get it to show “green” due to something I’d consider non-issues 😉

Here is how the “critical issue” looks.

Here’s the relevant text excerpt, because search engines aren’t all too good with indexing text from screenshots:

Background updates are not working as expected [Security]

Background updates ensure that WordPress can auto-update if a security
update is released for the version you are currently using.

The folder /vhosts/sitename is indeed under version control and the actual blog is under /vhosts/sitename/blog and that’s what the web server serves as webroot. However, /vhosts/sitename/wp-config.php contains the blog configuration. As WordPress allows it to live outside of the webroot, that’s what I opted for out of security reasons. Anyway, the conclusion from this first (yellow) point should be that there’s no way anyone could glean the contents of the version control system, since it lives entirely outside the webroot.

The second (and red) point is about FTP credentials. This one I find particularly unnerving. I have scripts in place, I have 2FA, and the servers in question are only accessible via SSH (and by extension SFTP). WordPress doesn’t support SFTP nor would I want to enable this at all. In fact the files inside the webroot have tight file modes so that even in case a breach occurred very little could be done. In other words, I am updating WordPress in a semi-automated fashion triggered manually. Unlike some setups of WordPress I have seen or administrated in the past with FTP enabled, I haven’t had a breach, going by all the indicators I have available. So to me this is the desired setting. But someone decided to categorize this as a critical issue.

So my questions (two actually):

NB: I am not interested in having the overall feature (or the visible widget) removed. I simply want this feature to be valuable and that means not raising the alarm when nothing is wrong, as far as I’m concerned.

After setting define('FS_METHOD','direct'); in wp-config.php – as per recommendation from the one answer at this point – the message changed, but still shows as critical issue 🤨