ykhan152 the main take-away is that one must ensure that the RBAC in Azure is configured in such a way that no unauthorized accounts can access Arc enabled resources, same as for example Domain Controllers that are pure Azure VM's.
For changing your 200+ machines, I recommend a simple script, perhaps triggered by an Immediate Task in a GPO preference that executes the command C:\Program Files\AzureConnectedMachineAgent> azcmagent config set config.mode monitor.
I hear and understand your remark, and am checking how we can better transmit this. That said, going forward you may open the agent up again, as we move into the paradigm of Adaptive Cloud, meaning leverage Azure capabilities to manage your entire estate. In other worlds, using Arc for monitoring only may be a temporary state. I hope this helps. Thank you for engaging!