I (partially) agree that it is a good change, but for a different reason. For security purposes, the certificates should include only the permissions that are required (although maybe they ought to allow you to have certificates that include both if you have a use for it (which as I have mentioned, you usually should not need because you will probably want to use different certificates instead), but unfortunately they do not allow that).

Should we remove anything that was at some point misconfigured somewhere?

I won't mind?

But in this case, the upsides are definitely greater than in the usual case.

We can get rid of computers altogether then but I'm not sure that would improve anything.