No. The purpose of the 'adm' group is system monitoring (namely to give read access to most of the logs in /var/log for it's members), it isn't related to authentication (unless you've specifically modified sudoers to give sudo privileges to the adm group, of course).

I believe the difference in authentication behavior you are experiencing is the difference between sudo and policykit (which is a separate/alternative authentication method with it's own configuration...in other words, sudo configuration doesn't affect policykit authentication). I don't have Muon installed, but I believe it uses policykit as the authentication method instead of sudo.

Exactly.

Though truth be told, you can just as well use apt-get form a non-sudo user, you just need to switch to a user that is in the sudo group.

For example
$ su user_1 # switches the user to user_1 who is in sudo
$ sudo apt-get install foo # runs sudo as user_1 thus allowing sudo to work

It is essentially the same concept as polkit, there you'd also authenticate as user_1 except it is less intrusive as it is a built in feature. For example your son does not have sudo access on his computer but wants you to install a deb. You'd click the deb and authenticate as an admin user to complete the installation. It is also similar to what Windows does, there if you have a non-admin user and try to do an administrative task you also can choose to authenticate as administrator to execute the task.

Are there any policykit authentication settings in Kubuntu where I can switch this behaviour off?

Not an answer to your question, but you can remove the update notifier and check manually.

Probably (but like apachelogger already mentioned, that doesn't really prevent a non-privileged user to run things as root if the user knows an admin user's password...as the user can easily switch to that user).

Unfortunately, I haven't had a reason to dig into policykit configuration and cannot offer advice on what would be the sanest way to modify the behaviour, so you'll probably better off checking the internet and man pages (unless someone else can pitch in)

Some man pages to start with: 'man polkit', 'man pklocalauthority', 'man pkaction', 'man pkcheck'
A command to check existing policykit authentication rules: 'pkaction --verbose'