Hi folks! Streamlit developer experience PM here. Thanks for raising this and the great questions. Just to clarify answers on a couple of the questions for session_state specifically:

• Values your app stores in session_state are NOT sent to the browser or otherwise available client-side in any way. These only live on the server. Widget values (e.g. the value on your st.slider) originate in the client and thus could be accessed there, and these will also be stored in session_state, but this is incidental and unavoidable. If you found some docs or code that suggested otherwise please let us know so we can clarify them!
• There should not be vulnerabilities where an attacker can access the session_state of another app user. The session implementation is based on tornado.websocket.WebsocketHandler which is secure. If someone could access your session ID (which is not tied to any simple guessable value) they could connect to your session, but in practice this would require the attacker to have a high level of control in your browser already, similar to other cookie spoofing or cookie poisoning attacks.

For some of your other questions related to apps hosted in Community Cloud: On Community Cloud, each app has it’s own pod/containers and is isolated from all other apps on the platform. This includes your apps session_state and source code, which is maintained server side on a containerized file system dedicated for you. An attacker would need highly privileged access on the system or access to your personal login to get to these resources.

For self hosted streamlit apps, securing source code and their server in general is the users responsibility and Streamlit cant really control that environment. Let us know if this helps or if you have further questions!