I don't think that's what's happening. sudoedit does NOT run the editor as root, it copies the file to a temporary as root, runs the editor as you, and copies the temporary over the target file as root when you're done editing it (at least it's supposed to).

Looks like a misclick, but unsure which comment was intended for this reply.

Yours.

The editor cannot be tricked into editing the wrong file as root by environment variables, because it is not running as root.

The security is an actual flaw in sudoedit, the wrapper script, not a fundamental issue with the environment you pass to the command.

I did not mention an editor, so that reading doesn’t follow. Other comments certainly did and could be wrong in the fashion you describe. However, I did not write them, so I feel no need to defend them.

My point is simply the actionable generalisation of your followup, the substantive part of which I don’t even disagree with. In this instance the utility is the wrapper.