It depends, but I was imagining a vulnerability where I authenticate to the API as myself, but use your ID. Or I sed my usage/diagnostic logs and replace my ID with yours. This might sound really boring, but as an example, I could send logs/activity as someone else, placing them at a scene of a crime that would show up in a subpoena.
I doubt this vulnerability exists, but these IDs (and any IDs by any company) should be guarded just like any other PII for exactly this sort of reason.
You're suggesting it's an authorization token - which it obviously is not.