4. The server

The server does not need root privileges. Therefore, if it is started with root privileges, it will drop them irrevocably after startup. If a privileged port (below 1024) must be opened, the server will first open it, then drop root, and only thereafter accept any connection on the port.

The server can be chrooted, and actually has a config file option to do so by itself (which means that you don't need to copy shared libraries into the chroot environment).

(If your clients are configured to download baseline databases and configuration files from the server:) The server does not need write access to the directory where client baseline databases and configuration files are stored, and it would be wise to deny such access (chown to some other user, and allow group read access for the server).