Again, the question was for a hypothetical abstract monitoring agent, and the only reason I even mentioned privileged is maybe the tool you’re looking at requires it. If yours just e.g. watches processes running on the host, all you need is
--pid=host. If you don’t like agents that run as root, don’t run them. Putting it in a container changes nothing.
The goal of the default console in RancherOS is to be a minimal way to get Docker running on a host, and not much else. Primarily so it can be used as a Rancher host. The userspace is all busybox, little is customizable, (mostly) only container-related storage is persistent across reboots, and the expected way to run anything additional is through containers.
If you want a traditional OS, you should probably use one. Or for something in between, the alternate consoles (debian, centos, etc) provide the standard userspace tools of those distros, including their package managers.