$shardedDataDistribution has it's own privilege action which is included in the clusterMonitor role. When running $shardedDataDistribution without a filter on a specific namespace this make sense as the aggregation will return information for sharded collections across all databases. 

When a customer is looking for the data distribution of a specific namespace (example below) the requirement to have the clusterMonitor role (or the specific shardedDataDistribution privilege action) seems unnecessary. Other commands such as collStats and listCollections are included in the read role for a database and it seems (if possible) that $shardedDataDistribution should align with that from a UX PoV.   

db.aggregate([
    { 
        $shardedDataDistribution: {} 
    },
    {
        $match: { "ns": "test.foo" }
    }
])