"...Changing that ID in a request to your API could fetch data that you’re not supposed to have access to...." By definition, the data that "you" are not supposed to have access to should be in a different table. Every time a business object goes through a process step, it becomes a different type, with a different set of permissions.

here’s a heretical thought: you should have some idea what uniquely distinguishes a entity in your database before you give it a key.

Because if the only thing is a arbitrary number you probably should just be using a symbol table instead.