Directory Service Accounts and Active Directory Certificate Services (ADCS)

Should the updated sensor to detect issues with Active Directory Certificate Services (ADCS) use a different Directory Service Account to the one used by domain controllers?

The existing MDI documentation hasn't been updated with the new capability announced back in August for ADCS - Microsoft Defender for Identity expands its coverage with new AD CS sensor! - Microsoft Community Hub - It doesn't feel right to use the same account for the service running on DCs as the ADCS member servers (although appreciate both services should be considered highly sensitive.

Does the MDI team have any recommendations?