When running updates the action scope of the user is limited to update the packages or don't. For people in sudoers (users not governed by a sysadmin) the authentication/"type your password" step could be skipped as they can't really do anything to compromise the system. Reproducible: Always
sudo is not invovled. To control who gets to do what in which way you'll want to configure polkit (I think pklocalauthority or pokit-action would be terms to search for on that matter).
So if e.g. Kubuntu configured a different policy it would not ask for password?
Yes. More improtantly though, *you* can create a different access policy.
Great thanks.