It's intuitively straightforward that modifying code for uploading videos could (read: not should) have authorization and authentication ramifications. One of those ramifications could then result in a vulnerability chain compromising user impersonation functionality.
I have seen far, far more incredulous head scratchers in penetration tests and code reviews. The interaction boundaries of, or middleware between, two seemingly unrelated systems is generally a good start to look for a security vulnerability.
I get this part. But why would it affect only videos and not other entities (photos, status etc.)? I would think creating (or uploading) any of the entities have the same authorization and authentication ramifications. What could be different for videos? Unless the privacy models are so fine grained that you can have different privacy settings for different entities (haven't used Facebook in years, so I don't really know). Your explanation makes sense, I'm just looking for a concrete example.
The problem is often that there are multiple sources of truth for who the user is. And if you have an impersonation feature, you by definition have two sources of truth: who the user actually is, and who the user is impersonating. It would just be a matter of a single mistake of using the wrong one.
Considering that "view as" requires your page view to render every control as the impersonated user but only when it comes to your profile, but renders all controls outside of your profile as the original user, I could see any engineering team dealing with some very carefully drawn and potentially confusing boundary cases.
Edit: just to elaborate, it's not just obvious impersonation contexts where this gets interesting. For example, linking your Humble Bundle account to your Steam account, or on Netflix which user you are vs. which email address is being billed. Many apps have a function to share some document using a one-time expiring token. If you're also logged in, then do you read permissions from the shared token or from your account? If you mix them, do you make sure anything that writes to this shared view can't touch your account itself on accident? We don't think about it much but I think you can see how these subtle distinctions are important when you are thinking about access control, and that makes it a breeding ground for subtle mistakes.