Secure deployment with Jenkins

Are there any recommendations on deploying software to production with Jenkins? One obvious choice is to ssh to the machine and run a script, but that means the SSH key is stored in Jenkins.

Another possibility is to install Jenkins on the PRD machine and include it as an executor. But this is probably even less secure? If someone manages to run jobs using that executor.

How do these approaches compare? Are there other approaches?