would there ever be a scenario where its acceptable to have enabled alerts and or reports running which are not assigned to anybody ie owner = Nobody
Yes, it is possible to have alerts and reports owned by 'nobody', but I don't know why you'd want to do that. User 'nobody' uses default settings, which may not be correct for the use case. IMO, it's better to assign alerts and reports to a service account with a role that has the resources needed to run those alerts and reports.
thank you Rich for taking the time to comment, I agree with you however please check your own config as what I see is that Splunk runs it's own apps as Nobody, for example these:
Splunk_Security_Essentials
SplunkAppForWebAnalytics
Splunk_ML_Toolkit
Splunk_TA_microsoft-cloudservices
Splunk_TA_microsoft-sqlserver
splunk_instrumentation
search
splunk_monitoring_console
sideview_utils
simple_xml_examples
splunk_archiver
I understand the use of Nobody is commonplace, but that doesn't mean it's a good idea or that I agree with it.
Here is explanation what nobody actually means https://community.splunk.com/t5/All-Apps-and-Add-ons/Disambiguation-of-the-meaning-of-quot-nobody-qu...
Based on that, you should always use valid user to own those KOs. User could be a real user or service user depending on your needs.