It's a bit clunky (as is 'apt' itself, tbh), but it should only ever install security updates and targeted bug fixes. You can configure apt relatively easily to have it download updated packages, but leave it to the user to actively install them (check out the apt configuration files in /etc/ - specifically the 'apt.d' folder).

As for Windows 10, it's in its own class of terrible design - try as they might, the Linux folks are nowhere close to matching it.

Yep it should only ever install some high priority security issues and such, and actually I suspect it's not actually doing anything complex itself (kicking off processes that perform the downloads + upgrades, but not actually applying them?) so it seems there's something weird going on :-(