We run as root to allow for the automatic updates. There are security benefits to running as a service account, for sure. But the system is isolated and we run from /opt and do everything like they would on most machines. It's a minor security point. The fear is that someone will break the application and get access to the server more broadly. But as the risks on the machine are entirely access to this app, it's a minor fear.
When you say it is isolated, do mean that it is on a vlan or you guys are hosting it offsite on Vultr or similar and it does not have access to your internal systems?
Lol none of that stuff really matters as much because at the jacked point you now have remote access to all of the machines it connects to.
True but I thought @scottalanmiller had said at one time they use it for on-demand access and not unattended