Running a remote virtual TW plasma desktop in a virtualbox supervisor, and enabled VNC logins, using kdm display manager (due to sddm's missing XDMCP support).

cat /etc/polkit-default-privs.local

# always request admin privs to shutdown, reboot, suspend and hibernate
org.freedesktop.login1.power-off                                auth_admin_keep
org.freedesktop.login1.power-off-multiple-sessions              auth_admin_keep
org.freedesktop.login1.reboot                                   auth_admin_keep
org.freedesktop.login1.reboot-multiple-sessions                 auth_admin_keep

org.freedesktop.login1.suspend                                  auth_admin_keep
org.freedesktop.login1.suspend-multiple-sessions                auth_admin_keep
org.freedesktop.login1.hibernate                                auth_admin_keep
org.freedesktop.login1.hibernate-multiple-sessions              auth_admin_keep

This should prevent ordinary users from shutdown, reboot, suspend and hibernate the system, shouldn't it?

Well, it doesn't. 

The Log Out menu contains Sleep, Hibernate and Log Out options, hence it cares about power-off and reboot policies already, but not suspend nor hibernate.

If a ssh session is open, the system asks for admin creds.

If it's the only login, it happily puts the system in hibernate or sleep mode.
The hibernate can be reawakened with 

VBoxManage -q startvm vnc --type headless

but the sleep takes another hard reset to be released. :-(.

Anyway, there's no business for usual remote users to suspend the system.

I might be missing something, of course, who knows...