> I've long forgotten why, but I committed "sudo su -" to muscle memory
First, you execute sudo with target UID 0 (aka. root). While doing that, sudo does all the fancy things for you, like setting or unsetting environments (eg SUDO_COMMAND, SUDO_UID, SUDO_USER) and check, if you will be granted to run $ANY_COMMAND or may be /bin/su with that target UID 0. Next, with UID 0, you run /bin/su in order, to gain a login shell. Now '/bin/su -' runs the login process stripping all the things set before off. Just to run /bin/sh at the end. You could have run 'sudo -c /bin/sh'. In reality, 'sudo -i [-u TARGET_USER]' is your friend. Always.