Running Elasticsearch as root is an anti-pattern in every other deployment model. So much so that we added the check. Elasticsearch is a networked component that has already had critical vulnerabilities (all fixed) but we've grown a healthy paranoia about this kind of thing.