It's plenty secure in the sense that you can't forge a session. It's not secure in the sense that the data is inaccessible if you know how to base64 decode a cookie.

If you're using cookie sessions, you should know better than to store sensitive information in the session.

In other words, because they are holding sensitive information in their cookies encoded only via base64 it's not secure. In other words, what I said.