I noticed below today. I'm guessing this has been this way for a long time, and the community just accepts it? Does anyone know of a way to mitigate this?
If a user has the screen locked, any admin account can unlock the screen and have full access to the desktop/applications/network under the identity of the originally logged in user. This is a huge security issue. NO ONE should be able to operate as another user like that, with the exception of explicitly granted sudo privileges in a shell.
Then disable it?
What baseline are you running? CIS? DISA?
This has been true of OS X basically.... since OS X started.
Section 5.16 of the CIS 10.13 baseline addresses the issue, FWIW.
Here's some discussion here in Jamf Nation on how to disable.