I think most folks would run away screaming from a codebase that did and did not check session data. Hopefully any company that does this has a lot of money set aside for bug bounties.
Every sizable system I’ve ever seen does it to some extent. It’s super common for static content with no security implications to not bother with a live check, or a system with high load but no major security implications (read only content for instance) to not do synchronous checks.
Especially if we’re talking 5-10 second session timeouts, it’s rarely even a theoretical concern and dramatically reduces load.
