I found a test case described as:
Tests that shadowers are allowed to kill other users' sessions
and verified that handler_killsession.py actually allows this.
It sound very strange that a shadower should be given any other XML-RPC access
Pierre thinks its related to some kind of administrator functionality, eg. kill session using session list dialog upon shadowing. However, this dialog is only shown under certain circumstances.