While reviewing Expensify for a couple example additions to techniques, I noticed this co-pilot functionality. This is essentially a form of delegating access to other users of the application so they can impersonate you. The "full access" option is almost equivalent to a full login.

Expensify offers "secondary logins", which function for a "ghost logins" attack, but this example feels a little different. Perhaps we need to a new technique in the matrix for covering situations where you can delegate control of your account to another account as a separate attack as it has other implications.