[dtertman]

> when the user is not aware of the impersonation

I'm curious, so please don't assume ill intent. What's a valid use-case where an event would be 1) done by an impersonator, 2) not driven by the person being impersonated, and 3) produce a notification that should be squelched?

Your three use cases don't seem to lead me to those situations: In the first one, you agree that notifications are OK. I agree with that.

In the second one, it's read-only, and so I wouldn't expect notifications to be produced. If there are notifications about read-only aspects (your account was accessed, e.g.), I suppose I'd be OK with them being suppressed, but I think I'd still lean towards a custom notification (your account was accessed by an administrator, e.g.).

In the third one, shouldn't you scrub your data while you dump it? Everywhere I've ever worked that didn't scrub their data (i.e. set all of the email addresses to nobody@testingmystuff.com) eventually regretted it.