> Self signed certs on an internal network are more secure than CA signed cert on a cloud.

Not if your threat model is someone who already has access to the local network (which has no one managing it) snooping on traffic.

It's still encrypted. They would have to man in the middle and hope that the user has not already accepted a cert. Exactly like most ssh servers.