Restricting Sensitive Data Access During Impersonation in VR and SIR

We want to limit users with the impersonate role (which includes admins and certain non-admins) from accessing sensitive data in VR and/or SIR applications when impersonating other users.

Use Case:
A remediation owner is assigned a critical, exploitable Vulnerable Item (e.g., findings from a scanner or penetration test).

• Requirement: Users with impersonator role must be able to impersonate this user without viewing the sensitive records. VR Admins can impersonate this user and see all the records.
• Challenge: With over 10,000 remediation owners, we cannot implement a restriction on impersonating all remediation owners.

What we have tried:

1. The script include ImpersonateEvaluator only allows us to restrict impersonation for certain users completely.
2. The GlideImpersonate().isImpersonating() script can be used to hide records for all impersonated users. However, this would also prevent VR admins from accessing these records when impersonating, which is not desirable.

Question:
How can we achieve the desired functionality where:

• Sensitive records (Vulnerable items and Security Incidents) are hidden when admins or non-admins impersonate users (except for VR admins)?

Any suggestions or ideas for implementing this?