Yeah, and in this case I would suggest (to the client’s security team ...) that it would be far more secure to use an SSH certificate in this specific case, than to embed a password in a script ... even if the password is masked.   If the password does not have to be remembered, e.g. by peeking at the current copy of the script, then the security(?) of changing it frequently is (IMHO) more-than lost.

It would be good to dedicate a login-id on the host system specifically for this script (and other purposes), so that the certificate could only be used to log in to that (highly limited) account.   The certificate could only be used there.   A certificate is more-protected than the source code of the things that use it.