A possible compromise I have proposed is to have some declared access restrictions on simple session variables, so that say only the owner can access it, but they should stay and look like light-weight session variables nevertheless. That could look like:
SET ROLE Admin; DECLARE @secure_variable INTEGER RESTRICT; -- only accessible to Admin