If you're like me, one of the first things you do on a new Garuda installation is edit /etc/sudoers.d/10-installer and comment out the line allowing users in the wheel group to execute any command. This is just common sense for me - if I have the root user enabled by default, I might as well use it, and if that is the case, then I shouldn't give the regular user any privileges.
After that I also change the user from administrator to standard through Garuda settings (this removes it completely from wheel group) and add it to the groups suggested by the GUI (audio, scanner, sys, etc.).
This setup allows for a pretty easy workflow for most things - when KDE needs elevated privileges, it just asks for root password. When I need to do stuff in the terminal, I just su and do my thing. But Octopi's update and install features really want to use sudo in the backend, and this is a GUI app that I really appreciate and wish to use as intended. So here is what we do:
Write a file in /etc/sudoers.d/octphelper containing the following:
Defaults targetpw
username ALL=(root) /usr/lib/octopi/octphelper -ts
username ALL=(root) /bin/sh -c unset LC_ALL; exec /usr/lib/octopi/octphelper -ts
[If you add just the first two lines, you will see at first it seems to work but then Octopi also wants you to be allowed to run /bin/sh -c unset LC_ALL; exec /usr/lib/octopi/octphelper -ts]
Now we can update from the Octopi notification icon, or install any app using Octopi, and the GUI will ask for root password. This will not allow your user to execute any other commands with the root password. You can create similar rules for pacman or update, or any command you wish really, just don't go all sudo crazy 
Soar on ~
