[eluser]pickupman[/eluser]
Your questions aren't related to CI only, as these are security concerns for any web applications or programming languages. The benefit of CI, allows you to not having to recode the libraries or functions every time you start a project. Using CSFR would be another feature already CI that can improve security by not allowing outside users/bots/bad people submitting your urls. I am personally a fan of extending my controllers from base classes/custom MY_Controller (see signature). This allows you to create controllers that their constructs will check permissions for you automatically.
Another concept is obscuring the user id and/or not using it in the URIs. You can use a offset to obscure the user id. (Example: Multiple the user id by 3) Keep session information in the database, so cookies can not be manipulated. Just be sure to make sure that the user id/CSFR token/(user id in session) all are valid.
