If you install Elasticsearch from reb or rpm, it will automatically set up a user to run under. It's normal that installing rpms or deb packages requires root permissions on the server. Our docker images are also already set with users. So if you're using one of those methods, then just follow the docs we have and you should be good to go.
If you're downloading the tarball/zip and using some config management, this is when you have some options that can lead to bad outcomes. Do set up a user for Elasticsearch and do chown the directories to be owned by Elasticsearch. Don't try to run it as root. It will actually refuse to start if it detects that as a security precaution.
The docs for how to set up Elasticsearch on various platforms and with each of these install mechanisms is at https://www.elastic.co/guide/en/elasticsearch/reference/6.4/install-elasticsearch.html