We provide a job you can periodically run to remove expired sessions. However, looking at the code, it appears that this only works for the database backed sessions, and does not work for file-backed sessions. In the usual case, the cookie expires out of the user's browser and so they have no access to the session on disk, even if it is still present, but this leaves you with an ever-growing directory of old files on the disk.
As a practical matter, file-based sessions are extremely slow compared to the other session backends, so they are not very common in production environments.
If you'd like to open a ticket (or even write a patch), that would be great. I would suggest two improvements (probably as separate tickets). The first is to switch to using the new signing framework for file-based sessions, which provides the option for stronger datetime based integrity checking. The second would be to improve the cleanup command so that it clears out file-based sessions in addition to the database backed ones.