flash[:notice] Security

Would it be possible for another website user to accidentally be served the flash[:notice] of another person? I may just redirect_to the final screen and reread the data back from the database, but thinking about all this made me wonder how secure flash[:notice] really is.

The flash is just a convenience gateway to the session. So if you trust the session, you'll trust the flash. And the session is simply just a unique md5 string in a cookie on the client that gets shot across on every request, which the server uses to find the session row/file with. It's not a highly complicated system, so if you wanted to dig in to do your own verification, it shouldn't be that onerous.

It's not a specially good idea to store AR objects in the session, as they may become outdated and so on. Preferrably, store the id, and define a controller method that finds the actual object.

If the saved data you want to show is an AR object, you may simply pass the id in the url and re-retrieve the record in the final screen, much simpler than relying on the flash.