'create' vs. 'create_doc' privilege for beats_system

On my Elasticsearch 7.x cluster, the beats_system role has the index privileges create_index and create.

According to Security privileges | Elasticsearch Guide [7.17] | Elastic, roles with the the index create privilege may:

index documents, allowing overwriting any existing document, but not permitting updating one.

According to that same document, the index create_doc privilege does NOT allow for overwriting:

Privilege to index new documents, without allowing overwriting or updating existing ones.

According to Grant privileges and roles needed for monitoring | Filebeat Reference [7.17] | Elastic, a user-made role (as an alternative to using the built-in beats_system role) should have the index create_index and create_doc privileges.

Questions:

• Why does the built-in beats_system role have the index create privilege instead of the index create_doc privilege?
• How could I replace the index create privilege with the index create_doc privilege for the beats_system role? I am unable to update it because it's built in.

• Why does the built-in beats_system role have the index create privilege instead of the index create_doc privilege?

Because beats_system came before we had the create_doc. Because of backward compatibility, it is not simpel to change it to use create_doc afterwards.

• How could I replace the index create privilege with the index create_doc privilege for the beats_system role? I am unable to update it because it's built in.

You cannot. You'll want to create and use your own role.