Serving pages and assets as pre-generated files allows read-only hosting reducing attack vectors even further. Meanwhile dynamic tools and services can be provided by vendors with teams dedicated to securing their specific systems and providing high levels of service.

using SSH is likely the best approach because personal access tokens have account level access

A Portuguese hospital was fined because of inadequate account management practices, such as having five times the number of active accounts than required and giving doctors blanket access to all patient files, irrespective of the doctor's specialty.