Probably the only improvements I can think is running the runner as a gMSA and applying the relevant ACL's to that, so you can avoid needing to supply creds.
Otherwise, on our fleet of hundreds of IIS, we've had success just pointing IIS to a hardlink, deploying the new version to a new folder and updating the hardlink - from memory this does trigger an app pool restart but its super fast, lets you go back and forth very easily.
Otherwise, on our fleet of hundreds of IIS, we've had success just pointing IIS to a hardlink, deploying the new version to a new folder and updating the hardlink - from memory this does trigger an app pool restart but its super fast, lets you go back and forth very easily.