TL;DR: Don’t use SSIs. If you are only including 100% static HTML, (not another include() or anything) use readfile() .. Else, just use include() and make sure any random person can’t write to those files as I would hope anyone would do.

SSI includes can be a major pain since they’re dependent on Apache in particular (try getting nginx to read SSI’s .. it’s NOT fun) and have zero advantage EXCEPT ……

If the file in question, whether is to be SSI included, or PHP included — if it has insecure write permissions or for any reason an untrusted source is able to write to it, it becomes a major concern. Keep in mind, when you include() then you are executing PHP code.

There are SSI directives that can do exec as well (#exec), which is also dangerous, but may have a more limited scope than PHP itself (or, it might be even more dangerous, that is extremely dependent and subjective to each particular situation)

However, if the file in question you want to include does not, and never will, contain PHP code and only HTML, please do not use include(), instead use:

echo file_get_contents('filename.html');

As this will be much safer, as nothing is ever executed. Or you could also use readfile, which may be more effecient if you’re handling very large (10MB+) files being included:

readfile('filename.html');

Therefore, it may be a slight opinion of mine that you should use PHP instead of SSI, but I can tell you from experience SSI’s can become unmanagable and have no more benefit than at least file_get_contents() or readfile(), while include() has the special feature that if it contains PHP code (good or bad), it will be executed.