Added, hopefully others will add their thoughts too. 
I did, yes. But as with anything related to security, it is easy to take a specific suggestion and generalise it without thinking through the consequences.
Things are protected by sudo for really good reasons, it isn't done lightly. So undoing that - especially if allowing access to editors who possibly don't understand operating system security - is going to have consequences.
In this case, the most obvious would be accidental or deliberate denial-of-service.
There are some things that, while you CAN do them in Node-RED (because it is a great compute environment), doesn't mean that you SHOULD.
There are other, non-Node-RED methods for restarting services which is something that should indeed be restricted to an admin separate to a Node-RED admin. Similarly, you don't HAVE to install/update/remove node modules from Node-RED itself. It is a nice feature but probably terrible in a production environment. In such cases set up a separate admin script that an OS admin has to run. Maybe use Node-RED to create a request form so that your users can still request changes to node modules but an OS admin has to actually run them after due dilligence.
