You are correct, ArcGIS Monitor requires PSA to monitor. The rational is to allow monitoring independent of ArcGIS Portal. In your case of federated server (web adopter or no), without server PSA, the authentication would have to be managed by Portal. That means, if Portal is down, server monitoring would stop working.
We are evaluating allowing for authorization via Portal federated user. However, this will lose ability of independent monitoring as mentioned above, which will remain our recommended best practice.
I agree with the least privilege principle. However, allowing PSA is not inherently insecure and the access to can be further restricted.