I see that the pam_env feature where it applies user-controlled environment variables is now deprecated because it's a security risk.
That is very unfortunate. There needs to be a standard way to set up per-user environment variables, like there is on Windows, regardless of which shell or desktop environment is in use. Pam_env was it, but not any more.