We use GSuite SSO with Context Aware Access and other such policies to gate access to the browser. So that means that we could give out access via CloudShell, and now those commands are gated by those same policies. That's really nice from a security perspective.
In our case, since we do development in a ChromeOS environment, and the browser is relatively isolated from the Linux VM, it also likely prevents classic SSH-hijacking.
In our case, since we do development in a ChromeOS environment, and the browser is relatively isolated from the Linux VM, it also likely prevents classic SSH-hijacking.