I’m a little bit late, but still I would like to disagree here.
Let’s imagine that there is a bad configured permission and the users collection for example is publicly available with “findOne”:
With numeric ids, an external person could crawl the whole user collection without any issue. Simply start with 1 and iterate until too many 404 were returned. BAM! The whole user collection is in bad hands.
With random generated ids, one would be able to crawl his own id. If he is smart, he would crawl all the website / webapp data for other user ids and maybe get a few more. But without breaking one of the leaked users password, he would not get far with that approach. Still very bad but way less than first scenario.
This could also happen with a bad release of Strapi or something. We do our best to ensure the data is not publicly available, but it still can happen. If it happens, random ids will cause way less harm than incremented ids.
In our company we just add a random generated id and avoid using the incremental id anywhere. It’s not a very nice workaround, but IMO it’s way safer than using the incremental ids.