Policy can still let you down
I remember a while back that I found a several years old bug in the policy file for a tool called sectool which was a RedHat thing. It's policy file ultimately gave all users the right to do things as root. So install a package to audit security and it messes up your security! Fun times.
Polkit is handy overall tho'. Gives flexibility to run a restricted set of tasks very cleanly with defined API on the system/user buses (speaking to appropriate daemons running as other users etc). It's pretty clean (from a usage perspective) generally even if the JS interpreter might seem like overkill. Running commands via the CLI is just one use case for polkit - sudo certainly can't do 90% of what polkit can. The same policy mess up I found (which was pre the big polkit rewrite IIRC) could have just as easily been a file packaged in /etc/sudoers.d/ folder.
Biting the hand that feeds IT
