This has already been discussed
https://forum.qubes-os.org/t/wtf-passwordless-root-access-in-vms/3517
The tldr is that you can remove the package if you don’t want passwordless root.
Future development might add a feature to disable passwordless root, making it a user choice.
https://github.com/QubesOS/qubes-issues/issues/2695#issuecomment-301316132