Scenario: Web app allows users to login to telegram >> ".session" sqlite file is created in server once logged in
Problem: I now have full access to N number of users' telegram account
Question: Is there a way for me(developer) to have no access to their session file whilst they(browser client) have full access to it during their session?
note: I still need to use their session file to get specific messages when they do a http request to the endpoint(s). but i dont have to see this data, only they have to.
Although not explicitly mentioned, the "telethon" tag was added to the question, so I will assume this is the library you intended to use.
Telethon's v1 default storage is indeed an SQLite database, but it does not need to be. It's merely a good default.
A session primarily exists to persist the authorization key used to encrypt communication with Telegram. Once you login, Telegram remembers that this authorization key is logged-in, and does not need to login in the future until logged out.
As soon as you have an logged-in authorization key, you have full access to the account. This means it's never safe for a server to have it at all, if you don't want to risk all of them being leaked.
The only choice is to communicate with Telegram exclusively on the client-side.
Python on the web may be doable, but is probably not the best idea.
However, there are JavaScript libraries such as gram-js that were inspired by Telethon and may help you out.