Yet another case of Apple using SUID bits when they have no clue what they’re doing. Go ahead and pull the SUID bit from ARDAgent
sudo chmod ugo=rx /System/Library/CoreServices/\ RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent
Notice I also pull the write bit from the binary as well. Who in their right mind is giving SUID bits and also allowing writing to the binary. Hello? Someone needs to wake the hell up over there at Cupertino.