Looking more closely at this, it seems it would be a little tricky to implement this the "right" way as suggested in the RFC. There's an extension mechanism (RFC 8308) for checking if a server or client supports the RSA SHA-2 signature types, but Trilead doesn't implement extension negotiation (I had confused that with Apache SSH which does).
The way I'll solve this is by just retrying a userauth request with other supported key algorithm formats until we run out. I tried this idea out with your docker setup, and it seems to solve the problem. The RFC mentions some SSH servers apply an authentication penalty for authentication failures, so the extension list mechanism is a more reliable way to try and detect supported formats before using them. We could potentially add an option to allow users to default to SHA-1 instead of SHA-2 as the first attempted algorithm for RSA keys in that scenario, though.