I didn't really find it that difficult to move from security consulting/research/code audits => dev/researcher at security vendors => machine learning engineer.
So I don't know how we decide whose anecdote wins here :p
Simple. If you value your career as a dev, you won't become a pentester. :) There's no upside except intellectually. Being a dev pays more and gives you more options going forward.
That's a harsh way to frame it, but it's also accurate. (I'm speaking from experience FWIW.)
In other words, you could have become an ML engineer anyway. No reason to risk it by becoming a pentester.
One thing to note is Dev paying more than security is a bit geographically dependent.
I know dev salaries in the US are very high, but in other countries (e.g. the UK) security posts can pay pretty well relative to many development posts.
In terms of options, there's a fair number of options available after pentesting, although most of them revolve around security in one guise or another. On top of the obvious moves into IT/Infosec management, there are new fields in security which open up alongside tech.
Recently there's been an expansion with fields like malware analysis, blue teaming, incident response and red teaming showing quite good expansion.
Within "pentesting" there's areas like IoT, Automotive, maritime etc which can offer moves for people wanting to move on from more trad. pentest roles.
That's a harsh way to frame it, but it's also accurate. (I'm speaking from experience FWIW.)
In other words, you could have become an ML engineer anyway. No reason to risk it by becoming a pentester.