The idea is to only allow user accounts in the wheel group to invoke su to take on root privileges. So, if someone had access to a random user account and knew the root password it wouldn’t do them any good.