We know that using express session with the in-memory storage mechanism leads to memory leaks.

The default for useSession is true. Unless a session storage mechanism like bedrock-session-mongod is used, the leaky in-memory store is used.

The warning here matches our practical experience: https://expressjs.com/en/resources/middleware/session.html

Warning The default server-side session storage, MemoryStore, is purposely not designed for a production environment. It will leak memory under most conditions, does not scale past a single process, and is meant for debugging and developing.

https://github.com/digitalbazaar/bedrock-express/blob/master/lib/config.js#L42

I propose that the default setting for useSession should be false.

Seems legit. (changing the default.)

I'd be tempted to recommend https://github.com/roccomuso/memorystore (which is what the Express docs recommend too), which uses an lru cache to prevent memory leaks.
But, having implemented it recently, it has one annoying property (which I'm kind of shocked is not mentioned more explicitly in the readme). Which is - so, it uses a setInterval as a polling mechanism to clean up sessions (which makes sense). But, here's the problem. When you use it in unit testing, however, when the tests end, the setInterval thing still remains, which prevents Mocha from exiting cleanly.

And the mechanism recommended by the author is super awkward.

(Jotting all this down in case future us will need to use a non-memory-leaking in-memory session store.)

+1 to turning off session support by default. More services don't need it than do and you should have to turn it on if you want to use it since it causes a number of problem/uses resources if you don't.