How kubectl is more secure than SSH Daemon / access into containers?

Various Kubernetes security recommendations tell you to avoid SSH into containers and ask to use kubectl instead. The prime reason quoted is the possibility of escaping to the underlying host resources via SSH into containers. So, I have following specific queries:

  1. Which features of kubectl prevent you to access host resources and why ssh has more risk of accessing host resources as compared to kubectl? How kubectl is more secure?

  2. Can SSH skip the Pod Security policies and access/mount paths on the underlying host which are restricted in pod security policy?

  3. If SSH into containers is unavoidable, how to secure it in the best possible way?