This could be called something akin to flash of unstyled content. It happens because the template runs before your subscription data is available. I also looking forward to what approaches are commonly used in the community to handle this.
Neither of those approaches is secure. In the first example, I can set the Session variable through my browser’s web inspector and override your value.
The only secure way to do this is to do the verification on the server and only ever return documents belonging to the user. Methods and publications have access to the user id of the connecting client and this cannot be manipulated externally.