That’s because sudo doesn’t really set up a whole session, thus there’s no session bus, and no way to create a transient scope which is mandatory for application tracking, completing the sandbox and providing refresh app awareness. Especially on a fully cgroup v2 system, the only way device filtering can be implemented without breaking your session is using a separate cgroup (i.e. the transient scope).