Hi @Ziu_
Welcome to Google Cloud Community!
Based on available docs regarding service accounts, it is possible to setup domain-wide delegation to a service account to impersonate any user in Cloud Identity or Google Workspace account.
Please note that Domain-wide delegation cannot restrict a service account to be used by a certain user on the Cloud Identity or Workspace account to impersonate (which includes super-admins), therefore service accounts could be target for a privilege escalation attacks.
If you wish to accomplish tasks using a service account and avoid such security risks, you can use Oath consent flow. If domain-wide delegation couldn't be avoided, you can, restrict the set of OAuth scopes that the service account can use. This only restrict the types of user data of which the service account could access.
I hope this information is helpful.
If you need further assistance, you can always file a ticket on our support team.