@Mer__edith The scenario that has been mentioned lately is "an attacker with temporary read-only access to the filesystem can copy session data and hijack the session indefinitely without any indication".

This CAN be mitigated, and plenty of other messaging applications have done so for many years. The most obvious solution to this particular problem is using the platform-specific keyring to store the session token so that it is encrypted at rest.