So, yes, this is something that should be fixed, however, if you have access to the database, you can just add data to it to tell Juju to spin up a unit on the bootstrap node that runs as root and you can then do whatever you want with it. So, while it would be better for appearances' sake to not have mongodb running as root, it doesn't actually close any security holes to a determined attacker. In addition, it's a non-trivial change, since it means we have to create a new user to run mongo as, and in theory upgrade old environments to fix them as well. My suggestion is that we leave it as high and deal with it later.
So, yes, this is something that should be fixed, however, if you have access to the database, you can just add data to it to tell Juju to spin up a unit on the bootstrap node that runs as root and you can then do whatever you want with it. So, while it would be better for appearances' sake to not have mongodb running as root, it doesn't actually close any security holes to a determined attacker. In addition, it's a non-trivial change, since it means we have to create a new user to run mongo as, and in theory upgrade old environments to fix them as well. My suggestion is that we leave it as high and deal with it later.