It doesn’t necessarily have to be full root access. It could just be e.g. a compromised service with only CAP_DAC_OVERRIDE. Many do use that capability.
Oh, I’ve never messed around with those before and I thought they required local access.
If the system map files can be recovered remotely, then we can just switch the rm with shred -zu in the script.