The idea of using the same account (mcm\portal) for all services and application pools is not a best practice and, also, can have some problems: for example if the “Default Content Access Account” is a “Farm Administrator” (like in this case) also the not-published documents will be crawled and will be searchable. 

The least privilege approach should be used in the production environment. The correct  approach should be this:

SQL Server service account: Local System account or a domain user account. 
If a domain user account is used, this account uses Kerberos authentication by default, which requires additional configuration in your network environment. If SQL Server uses a service principal name (SPN) that is not valid (that is, that does not exist in the Active Directory directory service environment), Kerberos authentication fails, and then NTLM is used.

SSP application pool account, SSP service account, Office SharePoint Server Search Service account can share the same account login. These should not be members of Farm Administrators group and no manual configuration is required.

Default content Access Account must not be a member of the Farm Administrator Group because of the reason I said before. Also this account should be granted Full read permissions to external sources that you want to crawl.

Windows SharePoint Services Search service account and Windows SharePoint Services Search content access account can share the same domain account and should not be members of the Farm Administrators Group.

Every Web application should have a distinct Application Pool identity, this for reduce security problems between different web applications.