This is consistent with the rest of qubes-core-agent-passwordless-root, and helps prevent sandbox escapes by daemons with dbus access.
@@ -1,2 +1,2 @@
//allow any action, detailed reasoning in sudoers.d/qubes
-polkit.addRule(function(action,subject) { return polkit.Result.YES; });
+polkit.addRule(function(action,subject) { if (subject.isInGroup("qubes")) return polkit.Result.YES; });