The counter in a pointer is still a kind of key, even if not cryptographic. What I mean is the risk of hitting the limit of number of available counter bits.

Some approaches on this take the probabilistic route and reuse counter values. Others invalidate the object ID when the counter wraps. I've myself designed a system that did the latter, but I think that was viable in that case only because the churn was expected to be extremely low. But for arbitrary pointers in arbitrary programs you can not make such an assumption.

> What I mean is the risk of hitting the limit of number of available counter bits.

I think this is vanishingly unlikely in a system like EROS/CapROS. As I said, revocations in such a system are very rare, and the version number is 32-bits. This system is checkpointed and so object IDs and their versions can be garbage collected during the checkpoint.