Use a crypto-quality PRNG (/dev/urandom is fine) and you should be fine, especially since the time it takes to brute-force URL parameters is very high (network latency). Just about anything is better than sequential numbers here.

They are harder to guess than sequential numbers.

No security is perfect - it is all deterrence. Using UUIDs instead of numbers at least closes the front door, even it it isn't locked.