I think adding the User/Group in /etc/systemd/system/multi-user.target.wants/orbit.service under [Service] and ensuring correct ownership to /opt/orbit is the way to do it. Please let me know if there's a better way.

I'm not an expert, but I don't think you'd get full visibility if osqueryd is not running as root.

This sounds like a reasonable approach. Jason is correct that you won't get full visibility though.

Thanks both of you! I need a way for me to prevent osquery to be able to access some directories.