Broad Permissions on Operator in Restricted mode

I've recently set up ECK using the restricted installation and I wanted to ask if anyone has validated the very broad permissions provided to the operator in the operator namespace are necessary before filing a GitHub issue and testing this myself.

It makes sense why all these permissions are required in namespaces where clusters are managed, but not so much in the operator namespace.

I've included below the permissions provided to the operator in its namespace (set through the OPERATOR_NAMESPACE env var below:

apiVersion: v1
kind: ServiceAccount
metadata:
  name: elastic-operator
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: elastic-operator
rules:
- apiGroups:
  - authorization.k8s.io
  resources:
  - subjectaccessreviews
  verbs:
  - create
- apiGroups:
  - ""
  resources:
  - pods
  - endpoints
  - events
  - persistentvolumeclaims
  - secrets
  - services
  - configmaps
  - serviceaccounts
  verbs:
  - get
  - list
  - watch
  - create
  - update
  - patch
  - delete
- apiGroups:
  - apps
  resources:
  - deployments
  - statefulsets
  - daemonsets
  verbs:
  - get
  - list
  - watch
  - create
  - update
  - patch
  - delete
- apiGroups:
  - policy
  resources:
  - poddisruptionbudgets
  verbs:
  - get
  - list
  - watch
  - create
  - update
  - patch
  - delete
- apiGroups:
  - elasticsearch.k8s.elastic.co
  resources:
  - elasticsearches
  - elasticsearches/status
  - elasticsearches/finalizers # needed for ownerReferences with blockOwnerDeletion on OCP
  - enterpriselicenses
  - enterpriselicenses/status
  verbs:
  - get
  - list
  - watch
  - create
  - update
  - patch
  - delete
- apiGroups:
  - kibana.k8s.elastic.co
  resources:
  - kibanas
  - kibanas/status
  - kibanas/finalizers # needed for ownerReferences with blockOwnerDeletion on OCP
  verbs:
  - get
  - list
  - watch
  - create
  - update
  - patch
  - delete
- apiGroups:
  - apm.k8s.elastic.co
  resources:
  - apmservers
  - apmservers/status
  - apmservers/finalizers # needed for ownerReferences with blockOwnerDeletion on OCP
  verbs:
  - get
  - list
  - watch
  - create
  - update
  - patch
  - delete
- apiGroups:
  - enterprisesearch.k8s.elastic.co
  resources:
  - enterprisesearches
  - enterprisesearches/status
  - enterprisesearches/finalizers # needed for ownerReferences with blockOwnerDeletion on OCP
  verbs:
  - get
  - list
  - watch
  - create
  - update
  - patch
  - delete
- apiGroups:
  - beat.k8s.elastic.co
  resources:
  - beats
  - beats/status
  - beats/finalizers # needed for ownerReferences with blockOwnerDeletion on OCP
  verbs:
  - get
  - list
  - watch
  - create
  - update
  - patch
  - delete
- apiGroups:
  - agent.k8s.elastic.co
  resources:
  - agents
  - agents/status
  - agents/finalizers # needed for ownerReferences with blockOwnerDeletion on OCP
  verbs:
  - get
  - list
  - watch
  - create
  - update
  - patch
  - delete
- apiGroups:
  - maps.k8s.elastic.co
  resources:
  - elasticmapsservers
  - elasticmapsservers/status
  - elasticmapsservers/finalizers # needed for ownerReferences with blockOwnerDeletion on OCP
  verbs:
  - get
  - list
  - watch
  - create
  - update
  - patch
  - delete
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: elastic-operator
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: elastic-operator
subjects:
- kind: ServiceAccount
  name: elastic-operator