I'd argue that obscuring the vulnerability with UUIDs would make it more difficult for good actors (ie., someone on the marketing team) to catch as well, which reduces the likelihood of the ACTUAL issue being fixed. I don't think you can say it's objectively better than using a serial ID.