From our perspective (core Strapi team) security risk is really all we can/should “care” about, intelligence risks are and should be left up to the user to decide and mitigate as we cannot plan or account for that (it would require us to know the details of the application and what the user deems as a “risk”, we simply can’t do that for millions of projects).
All we as the core team can do is abide by some of the most common and well respected “community defaults” until such time those defaults change. Over the course of probably 4 years I have only ever seen this question come up once or twice; although UUIDs on SQL databases has come up more often.
Rarely do I see anyone wanting to remove the IDs from the response entirely, I equate that to the same as changing the port for SSH from 22 to some random port to stop bot spam but not as a security mitigation.