A professional golang core developer from google does not think it's undoubtly secure:
TLS session reuse in rclone is pending on this core golang ticket and on a number of open bugs in various SSL implementations, in particular OpenSSL:
- AFAICT openssl's strategy for handling TLS 1.3 session tickets makes it impossible to reliably implement communication patterns where the server never sends application-level data · Issue #7948 · openssl/openssl · GitHub
- Data loss with TLS 1.3 · Issue #10880 · openssl/openssl · GitHub
- Failing data connection with STARTTLS (Explicit TLS): tls session not reused · Issue #49 · secsy/goftp · GitHub
- FTPS uploads using TLSv1.3 are likely to fail unexpectedly · Issue #959 · proftpd/proftpd · GitHub (only closed in v1.3.7+ which isn't in many distros yet)
Also, there is some confusion between session reuse, TLS 1.3 session resume and TLS session cache. Don't ask me, I'm myself confused. I use SFTP wherever possible if the speed is not too low.
Related to: