What rights do the computer accounts of the SCCM Servers need in SCCM?

Hello,
I am NOT asking here about service accounts in SCCM.

A few days ago SCCM started to uninstall stuff until we added the computer accounts of other SCCM servers (MPs, Endpoint Protection Servers, etc.) to the local administrators group on the SiteServers.

I found a lot of documentation about service accounts. But none that would tell me straight forward what rights the computer accounts of SCCM servers need.
Just now we added a new Endpoint Protection Server. The installation was fine.
Afterwards it obviously lacked rights in order to start operating properly. It warned that the other side would be in pull mode instead in push mode. Could not transfer into the inboxes, could not write into the registry, etc. Although the installation of the sccm roles was done from within the productive environment of SCCM.
Of course, on the EPP server itself, the necessary components were installed too.

It only seemed to start working after we added the computer account of the endpoint protection server to the local administrators group of the siteservers.
Where is this documented exactly? Nowhere I found a mention that the computer account of an Endpoint Protection Server would need admin rights in the local administrators group on the site servers.

The computer accounts of the siteservers seemingly also need to be in the local administrators group on each site server?
Where is this documented? Or why is that necessary?
So many rights are given for so many purposes in the overall setup of SCCM.
Why do the computer accounts need flat admin rights?

It feels strange: If that is necessary why doesn't it pop up in all that documentation?
Thank you for twofold hints - once for the computer accounts of the site servers and also for the computer accounts of the EPP server and other SCCM servers it those also need local admin rights.
Thank you.
Andreas

P.S. Why isn't there a tag for SCCM?