A reasonable argument and I agree that impersonation is still possible without the scammer taking the excact username but it’ll still be easier to fool your contacts when you don’t have an active account.

For example consider two worlds - in one you have an instagram account, in the other you don’t. The world in which you have the account, people who only know you through that account and don’t use other platforms where you’re on, are less likely to fall victim to scams because they can always verify that the scammers account isn’t your account. In the other world this isn’t possible and thus it is more likely people who don’t know you directly will believe the scammer.

Also my point on the cost of the account still stands. I do admit that having an open account which gets scraped is an issue but if you have a “private” account, most of the 3rd parties lose access to it’s content. Although I’m sure three letter agencies and meta have a custom API which can query all accounts, public or private, the point you’re trying to make is moot, as if we’re talking about opsec, if you already have an (insta) account, all it’s data is logged somewhere and it likely won’t be deleted in the near future.