You can create a random number or use an autonumber in a seperate attribute of the user. Never display the name attribute. With entity access you can hide the data for other users. All common known security issues are covered in Mendix, however you can always hire some security company which will test your app.
No, just knowing the GUID of an object does not give you more access to the application data, it's just an identifier. That said, you do need to configure security correctly in the domain model, otherwise you can always retrieve objects by their identifier, but that applies to any Mendix application and relying on people not knowing identifiers of an object is not secure anyway. So don't worry about making reports that contain GUIDs, you will be fine as long as you set up your security.