I’m just writing this down to remind myself and hopefully saving some others some pain.
Some (all?) HP scanners requires a proprietary plug-in to be installed, prompting you to do so if you try to use a scanner application while HP Device Manager is running. Unfortunately, unless otherwise specified in /usr/share/hplip/base/password.py, it annoyingly defaults to asking for a root password with no graphical way of telling it to use a user/sudo password instead. This can be fixed by editing password.py:
sudo nano /usr/share/hplip/base/password.py
‘endeavouros’ : ‘sudo’,