I've seen a few older posts on this, so I thought I might try and get a more recent answer. 

There are situations in which you might want to run the Universal forwarder as root.  Sensibly new versions of the uf remove the default password issue, but the existence of the Splunk management port running as root exposes the UF to the possibility of a remote and local  privilege escalation, whether through poor password management by an admin or some undiscovered authentication flaw in the UF itself. 

Disabling the management port altogether should remove that vector entirely.

There is a documented method in server.conf To save you looking it up here are the docs from 8.1.3

disableDefaultPort = <boolean>
* If set to "true", turns off listening on the splunkd management port,
  which is 8089 by default.
* NOTE: Changing this setting is not recommended.
  * This is the general communication path to splunkd.  If it is disabled,
    there is no way to communicate with a running splunk instance.
  * This means many command line splunk invocations cannot function,
    Splunk Web cannot function, the REST interface cannot function, etc.
  * If you choose to disable the port anyway, understand that you are
    selecting reduced Splunk functionality.
* Default: false

In my testing enabling it on an UF seems OK. Some CLI commands fail, notably anything that needs to authenticate.

My question is that other than most cli commands, will anything important to the UF break?