Hi,
I am not sure if SNC is required but it's a good idea to encrypt traffic. I don't understand what you mean by "out of the box" impersonation. RFC works exactly same from authentication point of view as any other connection e.g. HTTP. You need to be authenticated somehow to execute RFC. It would be a massive hole if client could choose which user will be used for execution. BTW this is how BO server works. When you use ABAP user it first calls FM using service user to get a logon ticket and this logon ticket is then reused for all subsequent calls. If you use a BO internal user you need to set up a trust between BO and ABAP AS. When you do that BO server can generate a valid ticket for any user. Note that SAP does not provide a library to generate these logon tickets.
Cheers