Raydium's programs are all owned by the BPF Upgradeable Loader, which allows an Upgrade Authority to upload updates and improvements when necessary. Raydium holds the following Upgrade Authorities for the respective programs which can be found below. The only role is OnlyOwner. Programs are fully upgradeable and labelled as such when searched on Solscan, however all changes are reviewed by core team members before implementation.
Currently, Raydium does not employ a timelock program function for updates. Significant effort is made with review of changes and testing internally before updates are pushed live. In the case of larger updates Raydium has relied on experienced security whitehats for review via bug bounties.
Future timelock mechanisms are likely to be implemented as code moves towards open sourcing to allow time for further community review and governance comes in to play.