Here's the lines from journalctl -b 0 .... The "sudo" was from me doing:  sudo su - ... just prior to the "snap install blender --classic"

--- start cut ---
Nov 05 15:15:39 jms-u18t sudo[18049]: pam_unix(sudo:auth): authentication failure; logname= uid=1031 euid=0 tty=/dev/pts/0 ruser=jason rhost=  user=jason
Nov 05 15:15:39 jms-u18t sudo[18049]:    jason : user NOT in sudoers ; TTY=pts/0 ; PWD=/home/users/jason ; USER=root ; COMMAND=/bin/su -
Nov 05 15:15:43 jms-u18t gnome-shell[16877]: polkitAuthenticationAgent: Received 3 identities that can be used for authentication. Only considering one.
Nov 05 15:15:46 jms-u18t polkit-agent-helper-1[18065]: pam_unix(polkit-1:auth): authentication failure; logname= uid=1031 euid=0 tty= ruser=jason rhost=  user=jason
Nov 05 15:15:46 jms-u18t polkitd(authority=local)[881]: Operator of unix-session:116 successfully authenticated as unix-user:jason to gain TEMPORARY authorization for action io.snapcraft.snapd.manage for unix-process:18050:34595600 [snap install blender] (owned by unix-user:jason)
Nov 05 15:15:46 jms-u18t snapd[860]: api.go:952: Installing snap "blender" revision unset
Nov 05 15:16:02 jms-u18t gnome-shell[16877]: polkitAuthenticationAgent: Received 3 identities that can be used for authentication. Only considering one.
Nov 05 15:16:05 jms-u18t polkit-agent-helper-1[18083]: pam_unix(polkit-1:auth): authentication failure; logname= uid=1031 euid=0 tty= ruser=jason rhost=  user=jason
Nov 05 15:16:05 jms-u18t polkitd(authority=local)[881]: Operator of unix-session:116 successfully authenticated as unix-user:jason to gain TEMPORARY authorization for action io.snapcraft.snapd.manage for unix-process:18068:34597431 [snap install blender --classic] (owned by unix-user:jason)
Nov 05 15:16:05 jms-u18t snapd[860]: api.go:952: Installing snap "blender" revision unset
Nov 05 15:16:11 jms-u18t systemd[1]: Reloading.
Nov 05 15:16:11 jms-u18t systemd[1]: Mounting Mount unit for blender, revision 33...
Nov 05 15:16:11 jms-u18t systemd[1]: Mounted Mount unit for blender, revision 33.
Nov 05 15:16:14 jms-u18t audit[18150]: AVC apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="snap-update-ns.blender" pid=18150 comm="apparmor_parser"
Nov 05 15:16:14 jms-u18t audit[18151]: AVC apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="snap.blender.blender" pid=18151 comm="apparmor_parser"
Nov 05 15:16:14 jms-u18t kernel: audit: type=1400 audit(1572988574.599:142): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="snap-update-ns.blender" pid=18150 comm="apparmor_parser"
Nov 05 15:16:14 jms-u18t kernel: audit: type=1400 audit(1572988574.599:143): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="snap.blender.blender" pid=18151 comm="apparmor_parser"
Nov 05 15:16:15 jms-u18t gnome-shell[16877]: Some code accessed the property 'refreshPropertyOnProxy' on the module 'util'. That property was defined with 'let' or 'const' inside the module. This was previously supported, but is not correct according to the ES6 standard. Any symbols to be exported from a 
Nov 05 15:16:15 jms-u18t pkexec[18154]: pam_unix(polkit-1:session): session opened for user root by (uid=1031)
Nov 05 15:16:15 jms-u18t pkexec[18154]: jason: Executing command [USER=root] [TTY=unknown] [CWD=/home/users/jason] [COMMAND=/usr/lib/update-notifier/package-system-locked]

--- end cut ---

So, we have here from polkitd:  "successfully authenticated as unix-user:jason to gain TEMPORARY authorization for action io.snapcraft.snapd.manage"

So... installing thorough snap, as long as you know the users password... lets you install something on the system? Without needing root privileges?

Is this some apparmor policy thing?