Review that router commands (see src/mongo/s/commands folder) as well as all config- or shard-internal commands (_configsvrXYZ or _shardsvrXYZ commands, see src/mongo/db/s/config and src/mongo/db/s folders) they use check for authorization in a sensible and consistent way.

We have no evidence that any of those commands is checking authorization improperly, but since we had an instance in the past where a shard-internal command had a wrong authorization check, it would be advisable to do a comprehensive review to find any potential issues proactively.
 
For the _shardsvrConvertToCapped command introduced in 8.0, we did a review for the authorization checks in SERVER-91103 and found no issues; the conclusion being that checking for the internal privilege action (ActionType::internal) on the shard-internal _shardsvrConvertToCapped command is sufficient.

Also note that there are some commands registered as MONGO_REGISTER_COMMAND(...).forRouter(); or MONGO_REGISTER_COMMAND(...).forShard(); outside the folders linked above. It would be a good idea to check if they have any relevance for this investigation.