obviously Pharos firmware 2.2.0 did introduce privilege separation for the SSH login shell. The shell does not allow to run commands which require root permissions.
Albeit it's a good idea to use privilege separation, there needs to be a way for authorized admins to run even privileged commands through ssh. For example, I need to be able to run the built-in radartool utility, which isn't possible anymore in Pharos v2.2.0 due to missing root permissions. But there is no way (at least I don't know of a way) to become root.
I'm aware that TP-Link preserves the right to change technical specifications and functions in order to improve product quality. But I think it's not o.k. to change firmware to remove functionality present before. This happened not only with Pharos products (i.e. removal of second Ethernet port, PoE pass-through on EU version of CPE510) , but also with Omada Controller (i.e. removing Client Isolation setting in favour of Guest Network).
Please consider adding a mechanism to become root in Pharos 2.2.0 again. You could either provide the su command or the sudo command to allow the admin user to become root (that's what an admin is supposed to be, isn't it?). As a last resort - and most easy to fix - you could set the SUID bit on the radartool executable and change ownership of the file to root.
Pharos up to v2.1.13 (tested on CPE510 v1.1):
# radartool numdetects
Radar: detected 0 radars
Pharos v2.2.0 (tested on the same CPE510):
$ radartool numdetects
radartool: wifi0: Operation not permitted
-sh: su: not found
BTW: The SSH setting is being reset on firmware updates even if »Keep settings« has been selected.