I think each has their merit and it's down to how you want to personally handle it depending on your circumstances.
Having a recovery disk in the same system on hand (on an m.2 no less) is obviously going to be fastest at recovery. The only concern there is it gets impacted during whatever the reason you need to recover from the first place. Otherwise, I've always liked this method myself.
Pulling a new installation as you need it, is going to get your the most recent updates, which older installation or recovery media may not have applied yet (and a possible reason it became vulnerable). But this is really only viable if you have a fast connection to pull that info from. That shouldn't be an issue most days today, but there are those without decent connections as well. And of course, a secondary system to start this process up from potentially (especially if the system you are recovering from is no longer viable for whatever reason). And hence why the previous method is desireable if speed is of the essence (no one wants to pull xGB of data to create an installation media on a 2MB/s download line; at least an hour for 8GB of data, more obiously if more was needed).