Which user is proposed to be used by istio components

There is a requirement from the client to run the istio components as non-root. I have a PR to run the istio components(galley/pilot/citadel/sidecar-injection/mixer) as user istio-proxy (UID: 1337). there are some discussion offline or in that ticket which user should be used?

  1. istio-proxy (UID: 1337) - already reserved by istio proxy. expand to be used by other components
  2. create a new user (istio) to be used by istio components except for istio proxy
  3. create a new user nonroot (UID: 65532) to align with distroless:nonroot image.
  4. create separated user for each component. e.g.: user istio-galley for galley component; user istio-pilot for pilot component, etc.

Any suggestions?