which sudo will check $PATH directories and return the first match, true. however when you type sudo and hit enter your shell will look for aliases and shell functions before searching $PATH.
to see how your shell will execute 'sudo', say type sudo (zsh/bash). to skip aliases/functions/builtins say command sudo
meh nvm none of these work if your shell is compromised. you're sending bytes to the attacker at that point. they can make you believe anything
no, if the attacker can change files in your account, they can read every byte you type in and respond with anything, including pretending to be a normal shell. im not sure how to prevent ssh from running commands in your shell