If new profiles are created from a device (web, mobile device or any other connection that is not a secure server-to-server connection) then then UUIDs should be chosen or profile IDs should otherwise chosen from a keyspace with large number of random bits (for instance, web library generates keys with 32 characters a-z0-9, example eser4xdjclozet5rrtqwyfz9rnrjerkg).