This feature should be controllable for business/enterprise customers (on/off) as it presents some security risk of users sharing data or accidental data loss outside of the business or with someone they are not supposed to inside the business. Granted this would be similar to a user sharing their password with someone, but still worth the risk mitigation.
I also think this feature should present the user with clearer warnings that they are actually logging into their account on the screen, not just sharing it. This means the screen user (if not the actual user) has the full access of the person logged in.
Maybe also prevent this feature from working on devices in a different network (limiting possibility of someone sharing the code and allowing a person to log in from a remote location).
