It looks like 2.11 changed ownership of (most) files and folders in /etc/icinga2 from root:root to nagios:nagios. Was this intended? It’s weaken the security point of view IMHO.
Yes, that is intended allowing certain CLI commands to be executed without root permissions. The RPM packages had icinga for years now, only Debian did something different. In terms of security, this isn’t a weak spot since no-one except Icinga itself or root should be able to read there. By default, the icinga (or nagios on Debian) doesn’t have a shell either (/bin/false or /sbin/nologin) so the attack vector really is low.
Cheers,
Michael