I too thought those rights were a bit 'excessive'. I have created a custom security role that has only basic read permissions to a minimal set of objects (e.g. Resources and Collection and Site). The only greater than read access that I granted was on the 'Collection' object, where it receives the following permissions:
So far this has worked fine for me, and may even be more permissive than is needed. I also applied these permissions to a filtered collection containing only Intel Provisioned AMT systems (some of our systems are SCCM provisioned and thus these rights are not needed).
Hope this helps.