falcon-self-hosted-registry-assessment cluster-wide permissions

[hrbasic]

The Helm chart for falcon-self-hosted-registry-assessment is using cluster-wide permissions to read secrets:: https://github.com/CrowdStrike/falcon-helm/blob/main/helm-charts/falcon-self-hosted-registry-assessment/templates/executor-cluster-role.yaml.

If my understanding is correct, this service pulls images from a private Artifactory and performs assessments. Why does it need cluster-wide permissions to read secrets from other namespaces? This seems like a security issue.

In our use case, we use ArgoCD for deployments and do not allow other users (in this case, the team responsible for deploying this service) to create ClusterRole and ClusterRoleBinding resources. Am I missing something, could we simply use Role instead of ClusterRole?

kubectl auth can-i get secret --namespace=kube-system --as=system:serviceaccount:crowdstrike-falcon-io-shra:falcon-shra-executor  
yes