Right now xsession will always run ~/.thinlinc/xstartup if it exists. It is likely though that administrators will want to be able to lock down the system so that users cannot control what gets started in their thinlinc session.
We actually have some support for this today. We mark xstartup.default as a config file and the TAG references that you can change it for exactly this use case. I'm not convinced that this is the best approach though. Proper configuration is preferable to having people change our shipped scripts.