Patrick and I have discussed, and this basically is happening already in the sense sessions must be confirmed to use the Admin Zone or to edit/delete members. I am going to clean up that code a bit though as it's not formalised enough IMO.
However, through discussion with Patrick some more specific ideas came up, so I'll post these as new issues.

The more I thought about this, the more I realised it is a thorny issue to do anything radical and yet there were some tweaks we could do that got us to a similar place, effectively.

Problems:
1) It would be slavish to forcibly give member detail lookup more security than say, the zone editor, or anything that could cause massive havoc to totally destroy a site.
2) ... so we'd need proper configurability. But trying to implement a way of manually configuring different kind of session confirmation timeouts for different areas would be like creating an entirely new parallel privileges system, a massive effort.
3) It's a lot easier said than done forcing re-login. What if login is automatic via LDAP? What if it is through oAuth? What if login is 2FA (looking ahead here), do we force a full 2FA step to do stuff? Does that become configurable?

So instead, I think it's best to just bolster the existing system of forcing confirmed sessions and applying reasonable privileges.

I made these main changes:
1) Forced "view_any_profile_field" for member export (i.e. on top of normal Admin Zone access)
2) Forced "member_maintenance" for member import (FYI "assume_any_member" was already needed for importing usergroup changes)
3) Adjusted the Setup Wizard's high security profile to timeout sessions in 20 mins, and medium to 1 hour (which is the default pre-Setup Wizard anyway); this reduces the core issue of an admin confirming a session and then leaving their desk long enough for a sneak to mess with their machine
4) Only put password in exported spreadsheet if "assume_any_member" privilege
5) Fix session confirmation requirement for member account editing/deleting (was broken!)
6) Prevent AJAX scripts (etc) from bumping session timeout; we don't want an admin's machine to be left on and the notification poller (for example) to keep the session alive forever
7) Changed viewing member e-mail addresses to use the view_any_profile_field privilege not the member_maintenance privilege (for consistency)