Necessity of sudo while installing with dnf
In the scenario you describe, "you" are not installing the package that is installed - the PackageKit service (which is already running as root) is doing the installation on your behalf. The PackageKit uses PolicyKit to determine who is or is not allowed to install packages - if you don't want unprivileged users to be able to install software, you can change the PolicyKit policy to disallow it. One of the reasons PackageKit exists is so the user doesn't have to know the details of the package management system on whatever distro the are using (whether it's dnf, or yum, or apt, or pacman, or whatever) - they just have to ask PackageKit to install the package, and PackageKit deals with the details of package management and installation on that particular distro. When you manually use dnf to install a package on Fedora, you are directly interacting with the package management system - PackageKit is not doing this operation on your behalf - which is why you need to be running as root (or provide the root password) in order to install packages at that level. But, as an ordinary user, you can use pkcon install <packagename> to ask PackageKit to do the installation on your behalf (as long as system policy as configured in PolicyKit allows you to do so), without ever having to be running as root (via su or sudo etc.), or providing the root password.
The behavior you're talking about, where you're prompted to install a package if you try to run something on the command line that's provided by a package you do not already have installed, is driven by a package called "PackageKit-command-not-found". I absolutely detest this behavior, and one of the very first things I do on any newly installed Linux system is to remove the PackageKit-command-not-found package so this is not done....
When you type a non-installed program name, it's not dnf installing it but PackageKit and it's command not found plugin (package PackageKit-command-not-found). PackageKit uses PolicyKit to decide whether to ask for password when doing privileged tasks or not and local active admin users don't need to give password for package installation (it's not Fedora specific feature, it came from usptream, see this FESCO discussion). This is the same reason why you don't need to provide password when installing or updating packages from the GUI tools like GNOME Software which also uses PackageKit as backend.
You can also use PackageKit from command line, the command is pkcon and pkcon install <package> also won't ask for password.
And why dnf needs sudo? It simply doesn't use PolicyKit.