> Using UUIDv7 is generally discouraged for security when the primary key is exposed to end users in external-facing applications or APIs.

I would not call this “generally discouraged” when APIs generally surface a created_at timestamp in their responses. A real life example are Stripe IDs which have similar properties (k-sorted) as UUIDv7: https://brandur.org/nanoglyphs/026-ids#ulids