Lock enableLocalConfigurationServer setting on OPS Manager side
To harden security for mongodb deployment managed by OPS Manager, we can use setting enableLocalConfigurationServer = true so automation-mongod.conf won't have any passwords for ssl certs and agent will retrieve them from OPS Manager.
to disable this feature and to read all passwords for ssl certs (and hence get access to mongodb data) it's enough to comment out this parameter an restart automation service (or wait until host will be restarted).
Linux root user can modify any file on mongodb host including this file and can restart any services, so it's impossible to protect getting all passwords and mongod.conf from root user only using Linux functionality.
But it's possible to add feature in OPS Manager to "lock automation agent setting for enableLocalConfigurationServer" on OPS Manager side.
Even if root comments out/disables this setting, automation agent will request full config file from OPS Manager and OPS Manager will check on its side if it's allowed to send full config back to agent.
i.e. only MongoDB DBA who manages deployment from OPS Manager controls if full config with all password should be sent to host and Linux root user won't be able on their own retrieve passwords.