"You cannot pass id in URL AKA expose to users"

This can be words of person who don't understand correctly Authorization.

If you have not done Authorization I can hack into other stuff even if your IDs are encrypted or Uuids in many cases.