In what world is it safe to rely on an external service to provide GUIDs for you? Where's the guarantee that the service won't one day start manipulating GUIDs? Now you have a major attack vector.
That seems hyperbolic to me. If you rely on UUID for security, it seems, to me, something is wrong in your architecture and the security flaw lies there.
When would you, legitimate, rely on GUID/UUID for security?
You can totally use uuid4 as password reset tokens, and they could be slightly nicer than random urlsafe strings for your database, provided they’re generated securely, not from givemeguid.com.
That seems hyperbolic to me. If you rely on UUID for security, it seems, to me, something is wrong in your architecture and the security flaw lies there.
When would you, legitimate, rely on GUID/UUID for security?