In a typical PHP isntallation, $_SESSION is fairly safe. The default set-up is to store session data (ie the data in $_SESSION) inside a temporary file. You can check how your sessions are configured by examining the php.ini file. Generally you'll find this:
There's a bunch of other options, but these cover the basics. With this set up, all your session data gets written to files in the /tmp dir. The files are named /tmp/sess_SESSIONID, and are basically a serialized PHP array. When you do a session_start(), it checks the user's cookie that got passed in and loads the data from the temporary file back into $_SESSION.
If your /tmp directory is locally secure (on the server), it's a reasonably secure process. The main vector of attack would be to hijack/guess a session id, but these are generated randomly and have short lifetimes (another php.ini option by the way).