Valid point. There might be a solution for that.
What about adding a new user admin?
Long term version:
- user
usernot being member of groupsudo/suetc. - Users are advised to login as user
adminand then usesudo.
At first, this could be a documentation-only thing for advanced users. (This could be implemented very soon.)
Not sure the cumbersomeness usability wise would allow this to ever become a default configuration.
Very long term version:
- wayland will sort the need to login using a virtual console.
So until we have a solution for that (realistically only wayland in many years most likely), I think we should go for virtual console login. At least as security advice for advanced users.