What if a broken client implementation uses the same client ‘generated’ UUID (or very similar) for all client requests?