The rule is probably something like "if !paid: deny tcp 80, deny tcp 443". (Hopefully they got UDP for HTTP/3.) I suppose this has the desired effect of captive portals (break GMail until you pay), without having to field support requests from geeks ("I paid but SSH doesn't work, refund me"). I think their plan is that whatever obscure app you're using negotiates over HTTPS, but then actually transfers the data over some other port. I bet things like Zoom work that way. By not touching the obscure data paths, you avoid support requests.
Either that, or they just felt like throwing a fellow nerd a bone. If you ask the PM, "should I block SSH" they'll say yes, but if you just put it in there, who knows ;)
Whoever set that up probably wanted it for their own use, both for easily managing the system when they need to work on it, and for themselves when they're travelling anywhere.
If I'm ever in charge of rigging up a captive portal system like this, I'm certainly going to do something similar if I can get away with it. Maybe even put a hint on how to bypass in the portal's page source. "ssh works on port 46969, don't tell anyone." > rot13 > base64 -> "cache-burst-ID: ZmZ1IGpiZXhmIGJhIGNiZWcgNDY5NjksIHFiYSdnIGdyeXkgbmFsYmFyLgo="
Honestly, I think captive portals are probably on the way out, given how good 4G/5G is these days. I am not sure what business traveler wants 10kbps hotel wifi for $30/day when their phone gets 600Mbps down and 30Mbps up.
Either that, or they just felt like throwing a fellow nerd a bone. If you ask the PM, "should I block SSH" they'll say yes, but if you just put it in there, who knows ;)