We do not have a document that lists all available bvc-Windows fields and which specific privileges are needed to retrieve them from a remote target. Because every environment has its own unique security surface area on its machines, and unique GPOs coming down from the domain, we don't even have a "rule of thumb" except to say "it's probably not worth the hassle to configure non-Administrative queries".
This exposure can be minimized by creating a special domain account with a special massively long impossible-to-remember password, and configure CCS (and *only* CCS) to use that account for its remote queries. You could even disable that account except during times that CCS is using it to gather data.
If you absolutely must run non-Administrator, then I suspect trial-and-error is your best bet. You can look over your standards and see which fields they care about, and then use RMS to experiment until you've assigned your query account just exactly enough access to satisfy those fields.
That may turn out to be a lot of work. Our Professional Services people are good at that sort of thing, so if the task makes you feel tired, consider letting them deal with it for you.
KDH