Is there a way to not send any user information to the client JavaScript?

[konstantin-lukas]

Consider the following scenario
You have a website that uses OAuth providers like Google to authenticate users just as a way to protect against bots or people needlessly creating entries in your DB without the need to store password hashes yourself. The frontend doesn't need to know any user information. A user's actions are authorized by sending the encrypted JWT from the HTTP-only cookies with each request. Since the website doesn't handle any sensitive data, someone's JWT getting stolen wouldn't be a huge deal. Since the JWT is encrypted, you wouldn't be able to read the payload. I would like to make it so that the frontend never gets to know any session information. I'm saying this because with the useSession hook you have access to the user's name, email etc. Since I don't need this information on the frontend and it is included in the encrypted JWT, it would be nice to just not send this information to the frontend in the first place because that way someone with a stolen JWT wouldn't be able to access a user's email address. At least I see no obvious way of doing that in this example. Of course, they would be able to mess with the other data tied to that account but because that data is not confidential, it wouldn't be a problem. I know this is a pretty specific example but is there a way to include the user data in the encrypted JWT but not send it to the client (e.g. the useSession hook)?

Edit: I saw in the docs that you can delete the user object from the session with the respective callback. Does this guarantee that user information isn't send to the client, i.e. are there any other places where this information might be sent to the client?