It’s not a data security risk it’s an intelligence risk. The short answer to what you are describing is security through obscurity.
While security through obscurity is one option, it becomes pointless if you actually have proper security to begin with. A poor, but valid, example is I know the address to the white house where the US president lives. However just because I know that doesn’t mean I can just walk in the front door uninvited.
Even on a SQL database that uses an integer as a user’s ID (which Strapi does) it makes no difference if you are id 3264 and someone tries getting the information on user 3265 or 3263 if the proper controls are in place to prevent access. Yes they can see it’s an integer, yes it could be sequential (even Mongo’s Object IDs are sequential, just not as obvious). The question then becomes what can they do with that information?
We already have default security in place (so long as the user doesn’t break that security in a custom implementation) so they can’t fetch sequential data. And other than that I don’t see any security risk from it.
From an intelligence risk sure, some competitor wants to know how many users you have compared to themselves; could they try and query all 2.1 billion IDs to check if it’s a 404 or 403? Sure. (Though I would hope you have some level of monitoring to detect that, and given the time it would take to actually check them all).
In summery exposing the IDs imo is not inherently good or bad, it depends on the user and what they identify as risk.