There are many reports of Devise and the lack of availability of "current_user" for use in models. There are many works posted here and elsewhere. However, I did not find the answer to the “why” on any of the posts. Is this a security issue? If not, why?
Since you do not have access to the session variable inside the model, this is not a development issue or something related to security. This is due to the MVC pattern used in Rails.