This is hardly a flaw in Rails - if the user's login session isn't ended before handing physical access to another person, that's not really the software's problem.
I didn't say it is a flaw. IMHO the default caching setting is how it should be, but the developer should be aware of the http caching, and should turn it off where it can lead to information leaking.