You are right, I did not have a close enough look at this. Indeed in my case as well I see session files being created in that dir. This is strange since due to PHP docs, /tmp is default:
https://www.php.net/manual/en/session.configuration.php#ini.session.save-path
And in my case all settings are commented, so the default should apply 
2019-08-08 12:40:04 root@micha:/var/lib/php/sessions# grep -r 'session.save_path' /etc/php/
/etc/php/7.3/apache2/php.ini:; session.save_path = "N;/path"
/etc/php/7.3/apache2/php.ini:; session.save_path = "N;MODE;/path"
/etc/php/7.3/apache2/php.ini:;session.save_path = "/var/lib/php/sessions"
/etc/php/7.3/apache2/php.ini:; (see session.save_path above), then garbage collection does *not*
/etc/php/7.3/cli/php.ini:; session.save_path = "N;/path"
/etc/php/7.3/cli/php.ini:; session.save_path = "N;MODE;/path"
/etc/php/7.3/cli/php.ini:;session.save_path = "/var/lib/php/sessions"
/etc/php/7.3/cli/php.ini:; (see session.save_path above), then garbage collection does *not*
Reading a bid it seems that it is by distro not moved to /tmp by default, since this can be a security issue when other processes are able to read those. However since Apache has provate-tmp, this is not an issue, so session.save_path=/tmp is something that can and should be set. I just do on my system and verify behaviour.
EDIT: Jep as it should, session files are created in /tmp/systemd-private-<random_string>-apache2.service-<random_string>/tmp now. Confused why this is not default. But to be true these session files are small (single line) and neither performance nor disk I/O should significantly enhance by this.