A really neat thing for masquerade would be able to set role-level permissions as to what role can masquerade as whom.
For example, on a site I'm building, we have a bogus role that helps us track some internal dummy users. It'd be really neat if we could restrict masquerade from allowing others to masquerade as the dummy users (they all have the same role).
Alternatively, perhaps it could be set up so that you can say that users of Role A can masquerade as users of Roles B and C, but users of Role B can only masquerade as users of Role C, and C can't masquerade as anyone.
It's similar to what's already in place in terms of the "Admin" role, but I think this method would ultimately be more useful.