This was surprising, so I searched the forums and at least found:
actually via this thread:
There's still not a lot of details in those, but I'm guessing that the race condition is between the startup of uhttpd vs. the network interface(s) configured for it? I.e. the LuCI service configured to listen on 192.168.1.1 comes up before the interface with that IP address → problems? And same for the ssh daemon too?
I forget where I found the instructions for limiting the listening interfaces, but ideally that warning might be more prominent if it's in the wiki or whatnot. Otherwise the "obvious" thing to do is listen only on the more trusted interfaces to start with, rather than listening on all interfaces and then hoping the firewall ends up remaining reliably configured to block some/all traffic) is to listen.