Vault agent on VM (not containerized) cluster

I need to make vault accessible to a web application running on a VM cluster. I’d like to use vault agent. I have a set number of servers.

Is the best practice to run an instance of vault agent on each server?

Also, if I run vault agent via a vault user, the token written to sink is owned by vault:vault, and not readable by my application. Is it safe to run vault agent via the same user as my application?