1) serializeUser is filtering the data and storing it in the session cookie. generally store less in the cookie if you can. You are going to call the db for data about the user anyways so you can just store an ID used to retrieve and reconstruct the user, as seen in deserializeUser.
Request coming in the cookie is provided to the server by the client, the server deserializes the cookie into data, either decrypting cookie content or retrieving user data from the db. Then response headed out the server serializes the client data, scraping off things you wouldn't store in the cookie and putting them in the db, just leaving an id in the cookie.
if you are doing encryption then this can easily be screwed up when you want to scale by running multiple machines who each need to be able to decrypt the data (not really hard, but unnecessary complexity)
Having unencrypted data just lying in the cookie isn't the best, and besides anything in the cookie can add that inkling of extra bandwidth usage for the user.
2) The database calls should be very fast, if they aren't you are going to have a suffering user experience elsewhere anyways. In other words, my strong opinion is that there is an overwhelming argument for staying away from cookies.
consider that cookies are sent with each request; it would be smarter to, instead of shoving data into the session and having it add overhead, have the user data load up temporarily (cached) for a bit after the user makes a request, and then have neither database calls nor overhead from the cookie while the user is actively on your site.
honestly you should be fine at first without caching. Focus on getting your app up with minumum complexity. This way you can modify it according to user feedback faster and have fewer mistakes.
3) When I played with passport I had a similar issue. I would let passport do its job and grant passport-level-verification to the user (so yes they are logged in), then do more data collection separately. If you are concerned about security then make this passport-level verification not fully logged in, and require more data before upgrading to fully logged in.
I could be very off the mark with this one, but that's my recommendation.
4) Redis is good for times when you have multiple node instances and want to store something in memory (say a counter, or that cached user data). This way you don't have variables in the node code holding onto cached data about a user, which another node instance can't take advantage of when the user comes back and the load balancer shoots them to a different instance.
http://www.ourdailycodes.com/2013/09/redis-when-should-i-use-it.html
EDIT:
I should add that session uses a cookie, but only gives the user a unique token the server understands, so that the server can re-gather the user's session data when a connection is received with an accompanying session token. My understanding is that this is the generally correct way for Session to work... but that it varies by implementation (Someone correct me if I am wrong here).