As a security measure, Zabbix agent provides a configuration parameter EnableRemoteCommands to restrict system.run checks.
However, system.run is not the only way to compromise security through Zabbix agent. For instance, a malicious administrator can potentially query vfs.file.contents on a user's workstation to peek on files in the system that contain cached passwords.
Thus, it would be nice if there would be a way to restrict availability of arbitrary checks on the agent, not just system.run.
C agent implementation done in parent task: