Problem: user needs to constantly (daily, or often enough) escalate privileges using sudo in order to keep an updated system.
Malware running can easily pick up root password.
Is something like the Tails trick of using a non-root user to perform a procedure that was defined for root rights possible in this case?
Really easy, just needs a sudo configuration snippet in /etc/sudoers.d configuration drop-in folder.
PackageKit likely is also capable of doing this but that would be a kinda heavyweight solution for this and might introduce its own issues.
Implemented in Whonix 15 source code just now.
upgrade-nonroot
This is something that security maximalists would want to remove (user shouldn’t have capability to upgrade; extra code).
But for hardening / lockdown purposes it might be better to remove group sudo from user user which then would also deactivate this feature.