Users with service account access at project level can impersonate any service account. Instead, they should be given access to particular service accounts as required.
Privilege escalation, impersonation of any/all services
Provide access at the service-level instead of project-level, if required
The following example will fail the google-iam-no-project-level-service-account-impersonation check.
The following example will pass the google-iam-no-project-level-service-account-impersonation check.