If so, does that mean your deployment server should run as root also? It keeps deploying client apps as "splunk"
Best practice is to run splunk as a user other than root.
If your universal forwarder is running with root/admin privileges you shouldn't have any issues with communication between it and your indexer.