user "user_xyz" is a regular user in sudo group.

Do not add untrusted users to the sudo group

The sudo group in Ubuntu is a special purpose group, making a regular user a member there grants them full administrator rights; and they are no longer a "regular" user. By design and by default that group membership grants the user unrestricted sudo privileges. Administrators in the sudo group can use the sudo command to run any command or tool with full privileges and access all data and settings of all other users, services and components on that system.

# Uuntu defaults in /etc/sudoers
...
# Allow members of group sudo to execute any command
%sudo   ALL=(ALL:ALL) ALL

Group membership in the sudo group also grants administrator privileges elsewhere in addition to sudo, for example in PolicyKit / polkit enforced policies for (GUI) applications.

# Ubuntu defaults in /etc/polkit-1/localauthority.conf.d/51-ubuntu-admin.conf
[Configuration]
AdminIdentities=unix-group:sudo;unix-group:admin

If the user run an app, can the app elevate the user to be a root user causing security issue?

Even when you don't add the user to the sudo group and instead create a sudoers policy that will only allow your user to run a single command/application with sudo and at elevated root privileges, be aware that often there unexpected ways in which the user might be able to use that limited access to gain more privileges than you intended.

See for example the Q&A here about using sudo rights to a text editor to gain more privileges : Why is it risky to give sudo vim access to ordinary users?

Even limited sudoers policies should only be granted to users that are to be trusted.