macOS update & upgrade with Standard User permissions

OS Updates can be installed by a user with a secure token, they don't need admin access. OS Upgrades require Admin Access. A MDM with a Secure Token can install both OS Updates and Upgrades. Nothing else can install OS updates for a user by Apples design.

Note that some versions of macOS Ventura show a prompt stating it needs administrator credentials when it's actually requesting the credentials for the secure token holder

In This case you can use "Privileges" app in User's account. This would help us to enter there login credentials for certain period of time.
macOS-enterprise-privileges
https://github.com/SAP/macOS-enterprise-privileges

It's on my wishlist that, much like adding users to the _developer group of yore, Apple provide some group(s) - maybe _osgraders/_osupdaters to which we could add user accounts and they would then have all necessarily permissions to upgrade/update macOS but not install other software or run admin / sudo root commands. It's not like Apple doesn't know what all needs that, you'd think they could whip up an entitlement list pretty quickly. 

We have some standard users in out company and we just deploy the erase-install script in self service