There’s so much on this subject over in The Impersonated user should be notified that they are being Impersonated. I still agree with the conclusions arrived at there. tl;dr it’s a rabbit hole, admins can do everything, if you don’t trust admins don’t have admins.
Maybe another approach would be to add some friction to impersonating by
- adding an “are you sure” popup, reminding that it will be logged and if they just want to test something they may prefer to create a test user and delete it again when done. just in time education, as it were.
- send the link to impersonate by email (this would have the added benefit of being able to log in in a separate window?) similar to the backup download
I also like the idea of an admin setting to disable impersonation, default disabled. Doesn’t even need to be a hidden setting but having the setting, like backup restore, will lower the risk that someone will get in the habit of impersonating another user or do it by accident.