Hi,
HikaShop does not and never did clear any data it adds to the user session.
The data in the user session automatically clears when the user session expires and Joomla deletes it.
You're saying that you looked at an older version of HikaShop and the behavior was different regarding the clearing of user session data during the logout. However, since HikaShop is not involved there, I suppose that on the website with that older version of HikaShop, you're using an older version of Joomla. And thus, it's probably the behavior of Joomla which changed on that end t some point.
I searched a bit online about this change of behavior but I couldn't find anything conclusive.
Regarding a security issue I don't think it changes anything.
If the user session can be compromised by an attacker when the user is logged out after being logged in, then I don't see a reason why that same attacker couldn't compromise the user session while the user is still logged in.
Also, getting the user session cookie is not easy nowadays. Now, all the websites implement SSL (HTTPS). And thus, the data being transferred between the browser and the server is encrypted from end to end, and this includes the user session cookie.
A man in the middle attack on the connection between the browser and the server doesn't seem realistic unless you're the NSA, and even then, it must not be easy for them, if possible at all. That's actually why all browsers now display an error page when you try to access a website without SSL so that snooping on the connection is not possible.
A more realistic approach would be for a browser extension to get access to the cookies, but if the extension is already on the machine of the user, it can do a lot more than just getting the user session cookie of a random website (like directly get the credit card information of the user).
Another approach would be to get the user session id from the database. But if the attacker already has access to your database, or your PHP files, then your website is already compromised.
Basically, I wouldn't be worried about what you found out.
Beside the security implications I discussed above, keeping the user session data has some advantages, like HikaShop being able to keep track of what products were already visited by the user (so that if you have a listing of recently visited products, it can display a coherent listing even after logout).