you don’t need to use an unrestricted block, how about you pin-hole the ACL with this thing in the beginning
- name: "just that action from localhost"
type: allow
actions: ["cluster:monitor/health"]
hosts: ["127.0.0.1"]
... all the other blocks here...