Theo,
I'm not quite sure what you mean by "such a ticket hijack", but as long as you retreive a screen ticket from the vCD REST API (versus retrieving a VIM session ticket directly), vCD will be responsible for reasonable sorts of enforcement (ensuring that the ticket can be used only to access the VM for which it was acquired) and management (including time-based and use-based expiration) of that ticket.