As discussed with @sschu, we can add a impersonate-members scope to the group resource type to make it easier to manage the users that a realm administrator can impersonate.

Today, this is possible by using a user resource type permission as a repository (like a group) for all users you want to enforce access to the impersonate scope. While this works, this is not the best management experience and also introduces an additional overhead when filtering users.