agree. ordinary user is absolutely sufficient.
I'll now present a sophisticated privilege escalation method that most of us won't notice (me included, sarcasm off):
alias sudo='/usr/bin/sudo echo something evil && /usr/bin/sudo'
I don't think it matters that he used his root account.
As an attacker, I test for sudo -n. If it succeeds, I have root. In most cases I do not need it however. SSH key trusts, SSH multiplexing and bad posix permissions are more than enough to get me anywhere and grab anything.
If they have access to your .bashrc they can also alter your PATH and create a script named sudo somewhere they have write access to that carries the malicious payload. So you're not gaining much by adding the quotes.
Edit: Maybe I'm wrong with my opinion, you can disable ASLR using your root rights... https://askubuntu.com/a/318476
Edit: Last exploit for Linux remote exploitation with Flash is from 2015 https://www.rapid7.com/db/modules/exploit/multi/browser/adob... or did I miss something here?