As a V1 (for 24.3): the job should grant all privileges to the user that began the LDR job, who already had the replication privilege (basically admin). The only con to this approach is if two different users began an LDR job on the same table-- it would be a surprise that both have access to the shared DLQ table.
For a V2 (past 24.3): we can create a new LOGICAL_REPLICATION Role that a user is required to have to create an LDR job and to observe the shared DLQ table. If both users have the same role, it is less of surprise that both can observe the dlq.
Follow up to #128940.
As a V1 (for 24.3): the job should grant all privileges to the user that began the LDR job, who already had the replication privilege (basically admin). The only con to this approach is if two different users began an LDR job on the same table-- it would be a surprise that both have access to the shared DLQ table.
For a V2 (past 24.3): we can create a new LOGICAL_REPLICATION Role that a user is required to have to create an LDR job and to observe the shared DLQ table. If both users have the same role, it is less of surprise that both can observe the dlq.
Jira issue: CRDB-41696