After manually disabling the Scripting agent on an Exchanges server, it is observed to be re-enabled when the Change Auditor Exchange agent is restarted. How does the Change Auditor agent have Exchange permissions.
The Change Auditor agent installed on an Exchanges server requires the Exchange Scripting Agent, therefore it verifies that it is enabled during start-up and enables it if it is not.
The Change Auditor Agent run with NT AUTHORITY\SYSTEM (LOCAL SYSTEM) which is typically in the "Exchange Trusted Subsystem" group (Exchange Servers). This group contains Exchange servers that run Exchange cmdlets on behalf of users via Management service. Its members will have permission to read and modify all Exchange configuration, as well as user accounts and groups.
When the Scripting agent cmdlet extension agent is enabled, the agent is invoked every time a cmdlet is run on a server running Exchange 2013. This includes not only cmdlets run directly by you in the Exchange Management Shell, but also cmdlets run by Exchange services, and the Exchange Administration Center (EAC).