having sensitive data in the session does not need to be a problem if the session is kept on the server (file / db or anything)
If the queries are taking long, you should put it in the session.
But be aware, the session could be in the DB itself (so still requiring a query) or file based on the server (file access is usually slower then a DB query)