Security is a top priority. Masthead agent does not query data in Data Warehouse, it uses CDC logs produced by transactions executed in it.
During the installation process next resources are created under your Google Cloud:

Pub/Sub topic

Pub/Sub topic masthead-topic and subscription masthead-agent-subscription

Logs Router

Logs Router with included filter, which automatically publishes to Pub/Sub topic masthead-topic

Custom Role

To get metadata of BigQuery schema and its tables and views, the installation script creates masthead_bq_schema_reader custom role with next permissions:

Bind Service Account

Binds Masthead Service account to PubSub and newly created custom role. So Masthead Service Account has next roles granted to it:
Pub/Sub Subscriber
For the On-Prem Deployment, in addition to the above-mentioned resources, Masthead Agent is deployed into your Google Cloud.