Guero,
Excellent observations, and we're still investigating a lot, so we don't have all the answers right now. We still see no way that JFBConnect is leaking data, and would (again) highly recommend that anyone who's received the email to respond to it to let Facebook know that you don't think it's an issue on your site and that you think you received the email erroneously.
As for your specific questions:
i) Why the session_key isn't shown in our video: The session_key really shouldn't be passed by the URL. It should be set by Facebook in a cookie. However, even if it is passed by the URL, JFBConnect correctly strips it from URL as required. Initially, we thought this was because of a few browser differences and Facebook would include the key in the URL in some cases. We not sure that's the case now, and are trying to understand why. There are a few things to note that may make a difference, but we haven't seen a change yet in our testing:
1) In your Facebook application, please check the Advanced tab, and see if the "Remove Deprecated Auth Methods" setting is enabled or not. This should be able to be disabled without issue, and we'd recommend doing it.
2) On your page, we're seeing a Javascript error. In the body tag is a call to onLoad=setFocus(). Since this doesn't exist, that's a problem. While I don't think that's the problem, it could actually be interfering with how the cookie is set by Facebook and forcing them to send the key back in the URL. Please try to remove the Javacscript call/error.
ii) Loading 3rd party content is completely fine throughout your site. The only page that the content cannot be loaded on is the page that Facebook returns the user to after they've registered/logged in. This is the only time the session key can be sent in the URL, and therefore, the only time it could be intercepted by a 3rd party. On any other page, this isn't an issue.
Since Facebook returns the user to a special JFBConnect page (index.php?option=com_jfbconnect&task=loginFacebookUser) and because that page strips the session_key if it exists by redirecting the user to a new page, this is again not a possible data leak issue.
Technical or not, it's always best to understand your site
Hope this helps explain, and definitely ask away with any questions you have!