Really easy, just needs a sudo configuration snippet in /etc/sudoers.d configuration drop-in folder.
PackageKit likely is also capable of doing this but that would be a kinda heavyweight solution for this and might introduce its own issues.
Implemented in Whonix 15 source code just now.
upgrade-nonroot
This is something that security maximalists would want to remove (user shouldn’t have capability to upgrade; extra code).
But for hardening / lockdown purposes it might be better to remove group sudo from user user which then would also deactivate this feature.