oh wow, I only now noticed that in Sonoma, there’s /etc/pam.d/sudo_local which persists across upgrades!

Terminal window that says: $ cat /etc/pam.d/sudo_local.template &10;# sudo_local: local config file which survives system update and is included for sudo &10;# uncomment following line to enable Touch ID for sudo &10;#auth sufficient pam_tid.so &10;