SSM connects to the instance through the agent (you're logged in as ssm-user) so you don't need to open port 22 inbound, while Instance Connect does the public key magic and connects you directly over SSH.
From EC2 Instance Connect docs: "[...] it generates a one-time-use SSH public key, pushes the key to the instance where it remains for 60 seconds, and connects the user to the instance. You can use basic SSH/SFTP commands with the Instance Connect CLI."
