...su -c ... theuser asks for teuser's password which is strange,...
There is nothing strange about this but this is exactly how su is supposed to work. It might be useful to make yourself more familiar with the concepts behind su and sudo and how they differ. In short: su allows user A to execute a command as user B provided that user A can also authenticate itself as user B. In this case A can execute anything as B because A can actually be B. sudo instead allows user A to run only the specific commands in the context/permissions of user B, which root as explicitly allowed A to run in this context. Thus the authentication asks for use A to make sure that this is the user which is allowed to execute this specific command as B.
Is it safe to assume that it also cannot switch to theuser (without my explicit confirmation), even though it does not have a password set?
No, this is not safe to assume.
su needs the password of B and if there is no password set you effectively cannot login as B (note that no password set is different from an empty password set). But, sudo only needs a successful authentication of A, which the user has. If the sudo permissions are set too broad then A might be able to break out of an allowed command to execute other code.
A classic example for this case is when A is allowed with sudo to edit a specific file with vi as user B. But, it is possible to execute arbitrary external commands from within vi. This means that once A is running vi within the context/permissions of B he can also execute any other commands from within the editor session and these will also run as B.
Apart from that there might be other attack vectors which allow privilege escalation for A. There were in the past enough bugs in the linux kernel or system setup which allowed such attacks. Thus, if you are not running a system which is still supported and keep it always up-to-date there is a fair chance that your system is affected by such security bugs.
