Relying on UUIDs alone is security through obscurity. This is not what's being suggested. What is suggested is that you do the proper checks in your code, but failing to do so, it is still impractical for malevolent actors to guess an ID. This is security in depth.