Distributed monitoring with top-down setup: security considerations

I started converting a NRPE-Setup to icinga2 distributed monitoring. One goal was to remove open ports from servers, and my agents connect just fine to the master. I started with a bottom-up approach, because it seemed to be the most secure solution: all checks are defined locally and the master can only initiate “allowed” checks on the endpoint.

Now I have just learned that bottom-up is deprecated. I am wondering how I would setup a top-down approach in a way that a compromised server could not execute malicious commands on the endpoint.

Any ideas/best practices?

Update: I just read Icinga2 distributed monitoring security considerations and I seem to be correct that top-down is a security nightmare. I could live with that, if bottom-up had not been deprecated.

BTW: I love the way the icinga2 documentation not only explains and documents settings or setups, but that it always gives useful examples and best practices info.