AccountProxy UserSession Object Cached

I have been working with a theme that modifies the default link text for logout ( instead of 'Log Out', it says 'Log Out username'). When masquerading as other users, occasionally the 'user' object available to the theme gets stuck as a previously masqueraded user. I was able to reproduce this issue with other themes, so I do not believe it's a theme issue. I'm not sure if this is a security issue or not.

Here are my steps to reproduce:
-No caching
-Aggregate CSS & JS

To see results:
-Modify current theme so that 'user' object is dumped (ie add {{ dump(user) }} in menu.html.twig)
-create series of users (I have 7 users in my test case, some have roles, some do not)

1. Log in as admin user

• object(Drupal\Core\Session\AccountProxy)#1416 (4) { ["account":protected]=> object(Drupal\Core\Session\UserSession)#115 (16) { ["uid":protected]=> string(1) "1" ["roles":protected]=> array(2) { [0]=> string(13) "authenticated" [1]=> string(5) "admin" } ["access":protected]=> string(10) "1549285509" ["name"]=> string(5) "admin" ["preferred_langcode":protected]=> string(2) "en" ["preferred_admin_langcode":protected]=> NULL ["mail":protected]=> string(17) "admin@example.com" ["timezone":protected]=> string(3) "UTC" ["langcode"]=> string(2) "en" ["pass"]=> string(55) "$S$E4KrOnehW9bcmIQncHlNuBlWvLN0WNFlQCpO9.DyJCsVo1JnME2I" ["status"]=> string(1) "1" ["created"]=> string(10) "1547652833" ["changed"]=> string(10) "1547652894" ["login"]=> string(10) "1549051823" ["init"]=> string(17) "admin@example.com" ["default_langcode"]=> string(1) "1" } ["id":protected]=> string(1) "1" ["initialAccountId":protected]=> NULL ["_serviceId"]=> string(12) "current_user" }

• object(Drupal\Core\Session\AccountProxy)#956 (4) { ["account":protected]=> object(Drupal\Core\Session\UserSession)#113 (16) { ["uid":protected]=> string(1) "5" ["roles":protected]=> array(1) { [0]=> string(13) "authenticated" } ["access":protected]=> string(10) "1549285821" ["name"]=> string(5) "david" ["preferred_langcode":protected]=> string(2) "en" ["preferred_admin_langcode":protected]=> string(2) "en" ["mail":protected]=> string(22) "email+3@gmail.com" ["timezone":protected]=> string(3) "UTC" ["langcode"]=> string(2) "en" ["pass"]=> string(55) "$S$EwHSu6Fd6T8B3yPum5SzG3SzaE2F.1HUoIjl1FUTq24HIfR/9jNj" ["status"]=> string(1) "1" ["created"]=> string(10) "1548771063" ["changed"]=> string(10) "1548771063" ["login"]=> string(1) "0" ["init"]=> string(22) "email+3@gmail.com" ["default_langcode"]=> string(1) "1" } ["id":protected]=> string(1) "5" ["initialAccountId":protected]=> NULL ["_serviceId"]=> string(12) "current_user" }

• object(Drupal\Core\Session\AccountProxy)#956 (4) { ["account":protected]=> object(Drupal\Core\Session\UserSession)#113 (16) { ["uid":protected]=> string(1) "5" ["roles":protected]=> array(1) { [0]=> string(13) "authenticated" } ["access":protected]=> string(10) "1549285821" ["name"]=> string(5) "david" ["preferred_langcode":protected]=> string(2) "en" ["preferred_admin_langcode":protected]=> string(2) "en" ["mail":protected]=> string(22) "email+3@gmail.com" ["timezone":protected]=> string(3) "UTC" ["langcode"]=> string(2) "en" ["pass"]=> string(55) "$S$EwHSu6Fd6T8B3yPum5SzG3SzaE2F.1HUoIjl1FUTq24HIfR/9jNj" ["status"]=> string(1) "1" ["created"]=> string(10) "1548771063" ["changed"]=> string(10) "1548771063" ["login"]=> string(1) "0" ["init"]=> string(22) "email+3@gmail.com" ["default_langcode"]=> string(1) "1" } ["id":protected]=> string(1) "5" ["initialAccountId":protected]=> NULL ["_serviceId"]=> string(12) "current_user" }

I followed this pattern a few dozen times over my 7 or so users. Most of the time the user you are masquerading as does not match the AccountProxy object. Clearing the cache (theme, render, or routing) takes care of the mismatch. But once you start masquerading around, it happens almost immediately.

To be clear - the Drupal::currentUser and all the logs appear to be working correctly. It's just when you try to access 'user' in the twig templatesthat you run into a weird cache issue.