I dug around a bit more, and the root access works via invoking /usr/bin/pkexec, which is part of the PolicyKit framework.
It allows to run a process as another user, which based on certain policy settings can happen without being prompted.
If I run
pkexec /usr/lib/mate-tweak/install-mate-panel-layout directly from a terrminal, it would ask me to authenticate, yet MATE-Panel is apparently allowed to do that specific call without prompting the user.
This is configured in
To be honest, I'm not really a fan that this auto-elevation mechanism even exists. I know there is always this tradeoff of security vs. convenience, and I very much lean towards the former.
Oh, and by the way, while removing that policy file does restore the authentication prompt, canceling the dialog causes MATE-Tweak to still announce it successfully saved the panel layout because it was written based on the assumption it would always have the rights to...