When using the vault agent injector, tokens do not persist beyond the lifecycle of a given pod (this is even with agent-cache-enable). This means upon every deploy the vault primary gets hammered as it fulfills a bunch of authentication requests for larger deployments. This could be avoided if there was some sort of token caching in place where vault tokens would persist beyond the lifecycle of the pod. Does it make sense to stand up a separate agent deployment?
There is a case to be made for both, but tieing the token to the pod makes a lot of security-sanity.
How often do you do deployments and in how many place do you do deployments at once? We use both init containers and sidecars and no issues with a fairly large environment, no issues with a decently sized vault instance.