Historically, Vyatta and then VyOS executed all operational mode commands directly in the user's shell.

Vyatta once tried to restrict operator-level users using a restricted shell, but as long as the user account itself has root permissions required to run commands, any shell escape renders that protection moot, and security researchers found multiple shell escapes that bash's restricted shell mechanisms cannot prevent.

Thus, the only way to implement any privilege separation is to make all VyOS op mode commands go through a runner executable that has suid bit set, and that can then decide whether the calling user is allowed to execute a command or not — like a specialized version of sudo.