Service accounts should have a minimal set of permissions assigned in order to do their job. They should never have excessive access as if compromised, an attacker can escalate privileges and take over the entire account.
Cloud account takeover if a resource using a service account is compromised
Limit service account access to minimal required set
The following example will fail the google-iam-no-privileged-service-accounts check.
The following example will pass the google-iam-no-privileged-service-accounts check.