On my Elasticsearch 7.x cluster, the beats_system role has the cluster privileges monitor and cluster:admin/xpack/monitoring/bulk.
According to Grant privileges and roles needed for monitoring | Filebeat Reference [7.17] | Elastic, a user-made role (as an alternative to using the built-in beats_system role) should also have these privileges.
According to Security privileges | Elasticsearch Guide [7.17] | Elastic, roles with the the cluster monitor privilege have access to:
All cluster read-only operations, like cluster health and state, hot threads, node info, node and cluster stats, and pending cluster tasks.
Question:
According to Use internal collection to send monitoring data | Filebeat Reference [7.17] | Elastic, the internal collector (for which the monitoring user is used) is used to "send Beats monitoring data directly to your monitoring cluster".
Why should the Filebeat monitoring user be able to read the Elasticsearch monitoring cluster's own monitoring data?