Who said anything about trust? Server-side validation still applies; you don't just DELETE /user/{id} without verifying ownership, regardless of where the id comes from.

But client-generated IDs make idempotency easier and remove whole classes of errors. They're typically a huge win.