Real-world survival analysis rarely ends with a single deliverable: practitioners typically publish cohort-level statistics, a deployable time-to-event model, interpretable Kaplan–Meier curves, and, where appropriate, a synthetic table for secondary use. When these heterogeneous outputs are protected through separate per-call differential privacy mechanisms, privacy accounting becomes fragmented and difficult to audit. We present RiskSetDP, a session-level framework that governs accounting, acceptance, and release for survival analysis under one auditable budget in the Rényi-DP domain. All calls are composed once, converted to \((\varepsilon ,\delta )\) for a single global acceptance check, and, when needed, proportionally scaled with noise recalibration so the complete bundle remains within budget. The framework couples a risk-set–aware differentially private Kaplan–Meier estimator that enforces a minimum risk-set threshold and emphasizes early horizons with isotonic post-processing, a reproducible DP-SGD protocol for horizon-wise risk modeling with standardized clipping, batching, and budget-matched noise, and workload-aware synthetic data generation from selected low-order marginals with a consistency repair step. Experiments on METABRIC and SUPPORT2 show consistent, monotonic gains as the session budget increases: curve errors decrease while concordance improves, model discrimination and especially calibration strengthen, and synthetic fidelity and task utility rise. Ablation studies support the value of risk-set control, post-processing, and session-level coupling, and empirical attack audits provide complementary diagnostics under specific attack models while the formal guarantee remains the session-level DP accounting record. These results indicate that RiskSetDP provides a practical and auditable session-level release workflow for survival analysis on two public cohorts, preserving utility while maintaining an externally verifiable accounting record.