You are leaving the domain of device management and moving into the domain of identity management. I suggest looking into tools like CyberArk EPM to control the permissions on binaries, EPM can run a binary with root permissions without ever needing the user to have root permissions.
We use EPM, it is a beast to setup and manage all the policies but it works well for what it is. In the example below I am running a sudo command, and notice I am not getting challenged for a password. It's because we have a EPM policy to escalate the jamf binary with the recon argument being used.
We also block everything run with sudo unless it's been whitelisted, for example if I try to run sudo killall EPM blocks the binary from running. We are not even getting far enough to enter my password.
This is not limited to binaries in terminal, it can block/allow/auto_escalate applications and file extensions such as dmgs or pkgs. It can also auto escalate specific functions of an application, as well as actions within preference panes.
Is EPM heavy handed? Depends on how you configure it. Are we heavy handed with EPM? Absolutely, but in the past year we have stripped admin access from everyone and have been able to accommodate every privileged workflow with EPM. The only time I have had to use an admin access on demand kind of workflow is when EPM was broken or in a very complex one-off task that was not worth automating as the task would never be repeated. EPM can also grant and remove admin access from users, so you don't have to rely on flaky scripts and launch daemons run by Jamf to grant and remove "full blown admin access".
