What is the difference between secret injection via annotation vs vault agent configmap?

I am deploying vault to our Kubernetes environment. I am reading through the documents for Vault, and came across 2 documents.

  1. Secret injection through annotation
  2. Vault agent through defining configmap method and sinks

What is the difference between the 2 methods of getting secrets to my application?
The document states that vault agent does auto auth that can automatically manage the vault token lifecycle. Does secret injection through annotation not do that?

If that is the case, would vault-agent via configmap be generally the recommended approach? We have long-running applications in our Kubernetes clusters.