SU for JIRA exposes user data to any JIRA system administrator as it allows the system administrator to become any other user.
No user content or passwords are stored or otherwise transferred.
The action of invoking SU stores a cookie on the client web browser with a hard wired 5minute expiry, this means, even in the unlikely event of cookie theft, any exploit would have to occur within 5 minutes of its generation.