The problem at hand though is that (at least with Bionic, possibly with Xenial too), if I start a vnc server on the box and connect to it, nm-applet won't run in vnc, failing with "Not authorized to control networking".
Fortunately there is a workaround (and I agree with the OP, it's too bad this doesn't ship with at least templates to copy, or disabled configuration in place).
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=643028#59
create (or edit, if already there) /etc/polkit-1/localauthority/50-local.d# cat org.freedesktop.NetworkManager.pkla to contain:
[nm-applet] Identity=unix-group:netdev Action=org.freedesktop.NetworkManager.* ResultAny=yes ResultInactive=no ResultActive=yes
