You can have a server without a public IP; that’s totally doable. An internal server that’s only accessible from LAN or a VPN is still a server.

Also, the majority of compromises happen because of user error (e.g., someone opens/runs the wrong thing) or an unpatched machine, not because of an exploit in server software/because the machine is always on. This is especially true in the business world where it’s often a combination of human error and the network not being segmented/ACLs not being set properly/etc (lots of cases of human error).

It’s also not that unusual for someone to keep their e.g., desktop always on or their laptop/mobile device in a low power state where it still has network activity despite being “off.”