The arpwatch binary and man page are owner.group bin.bin. They should probably be root.root. This isn't particularly serious, but it's an easy step to root for someone breaking in through portmap.
Fixed in tcpdump-3.4-14 (arpwatch-2.1a4-14). Thanks for noticing.