If someone got shell access to your Volumio device via the internet, well you Volumio have much bigger issues 
This exploit is more potent for privilege escalation on shared servers etc – anyone with access to the volumio user pretty much can do as they please.
Not required, debian-security has already provided updates with patches to policykit-1