allow applications with app-only token to impersonate user accounts
If an application with an app-only accesstoken could impersonate any other user (not signing them them in with username and password, but impersonating them either by id or userPrinicpalName) then the apps could act more easily on behalf of specified users.
William Ott commented
If you have an app-only token and the user's id/userPrincipalName you can just use the Graph API as documented, i.e.:
And if you only have an email of the user, you could to the following to get his id: