"User id is never send to the client browser" -- but what do the send in a cookie then?

At around 6:02 on the video, Dave is actually talking about userId when stating that this is only held on the server. You are correct however in saying that user._id gets returned in a session cookie. If you look at row 19 of index.js you see both parameters mentioned.

So userId is the unique identifier for each user in the Mongo DB whereas user._id to quote Dave is...

And user is our document, it represents all the information for a single logged in user, and finally the underscore ID is that unique ID that mongod gave the document when it was inserted into the database.

As i understand 'express-session' manages the sessions by some given parameter. In our case it's easier for us to give a _id as a parameter to session instance as well as request something from session by _id. For example we could give other parameter to store a session for this user like: 'some key'. But we should keep a link in memory or somwhere (db, file) that for user 'Maxim' we gave a key to 'some key'; To avoid unnecessary operations we just give a _id of a user as a key to session and then we both know that key.

You will able to see connect.sid cookie given by a 'session' that recieved _id. And it's value of course not equal to _id for security reasons. let's say - This is a 'session' job..