If the VM is on the corporate network then it’s the same as connecting an unmanaged device - defeats the purpose of locking down machines. Developer VMs should be on their own VLAN.

Yes, but I think you are missing the point. Developers can access dev and production machines with non root users, root is never needed to run software.

If you are part of the sysadmins that really need root, to manage iptables or system updates for instance, you would have root.