I guess this is another example of how audits are not the security fairy dust people make them out to be.
In any case thanks for the info on this , its highly informative and I will be discussing with the team on how to move forward. We will most likely be delisting Session.
As a side note, folks with proper knowledge about cryptography are very hard to come by, would you mind if I reached out to you in the future if I were to have a question about certain platforms or services regarding their cryptography implementation? I highly respect the work that you do.