pushing the topic ... had the same problem when updating to 7.5.
The problem with allowing queries from 127.0.0.1 is that you can potentially send packets from external sources with spoofed source IP 127.0.0.1 via UDP. Since there have been multiple vulnerabilities in the past related to status queries we decided to add noquery to the configuration.
traffic from 127.0.0.1 shouldn't get through the internet facing router in the first place. A network admin allowing this is a $INSERT_YOUR_FAVORITE_INSULT_HERE.
Anyway: how do you propose we monitor the NTP status? In any corporate environment monitoring the NTP status is crucial to external auditors because they insist that logs are in sync. Actually, I concur.
Consider this a request to expose NTP to a set of configurable IP addresses.
Yes, most routers or firewalls would not allow such packets, but we know about deployments where we can't rely on that.
Ideally ntpd would provide unix domain socket for queries, but I don't think that's implemented. We need to look into the code to find out what other option we might have. May I ask you to open a feature request for this?