Exact!. As long as you use the metafields to trigger/drive logic with the values stored, it's very low risk stuff. If on the other hand you are choosing to visibly display the extra information stored, you run the very real risk of having customer X rewrite the metafields for other customers and making their sessions display whatever nonsense/trash they want. In fact, since metafields can store arbitrary strings, any customer could leverage this to render payloads of nasty depending on how you choose to render the data in your theme.