The short answer is that my distro did not let me do this easily. But that was for good reason.
A system update would require too many privileges that it would be almost indistinguishable from root.
Currently, every user I have is restricted in what files it has access to. A system update user would need access to so many files, including install locations of all binaries, and non-binary installation paths of all current and future programs I install (some package installs modify /var, many modify /etc, and so on).
This user will also have access to all these programs, down to system applications. It can trivially break a permission system I come up with.
It may be possible to restrict system updates to a user, but it would be such a powerful user that its not really worth it.