I have been making the assumption that in MediaWiki, the $_SESSION is hidden from the user. While applications may use the session to obtain data that's later shown to the user, there should be no way for the user to obtain the entire $_SESSION contents.
So, for instance, I can hide a temporary secret there.
Is that a good assumption?