What has worked best for us is to have a sequential integer as the primary key as well as UUIDv4 as a surrogate key for every row. The applications would expose the objects only using uuid and never the primary key. The primary key always remain internal at the database level and never gets referenced or used at the application layer. In this way the security and privacy of objects are maintained and having sequential integral primary key for the object ensures the database design remains robust. Essentially, separating out the key for the database and the application. Is there any potential issue with this approach?