only if you have not using the default passwordless sudo, right?
So - for me - it is not an additional attack surface at all.
but even with more strict settings, a compromised user account very likely can download any further exploits they want - unless you restrict the net access by a firewall vm (or by not assigning any netvm). But that’s another topic, and surely not a related to a minimal template.
so at the end, this is very weak, and questionable benefit. - that’s how I see.