@shahn, please excuse the delay on my response.
After an internal discussion, indeed these are normal events, and the logon type 9 is used when a process needs to communicate with another component.
The example my RND colleagues mentioned was consider adding a Windows server to Veeam as a repository; we add credentials, and later need to install components onto the Windows server. After connection and installation of our services, we need to communicate with the services, and this is where the impersonation logon comes into play as the Veeam.Backup.Manager process needs to communicate with the Deployment or Transport services for example.
There's more info in
this article from Microsoft if you're interested, but the TL;DR is "it's expected and normal".
"This logon type allows the caller to clone its current token and specify new credentials for outbound connections. The new logon session has the same local identifier but uses different credentials for other network connections."