I don't think there is any problem as such. If exposing your ID makes your database vulnerable then its not the problem with exposing IDs but the insecurity of your database.
Consider Facebook's open graph database publicly available for people to access it (at least earlier). Suppose you can access user data through _id via OAuth, yet you'll not be able access sensitive information about that user. So the point is, exposing IDs in the URL is not a bad approach but how you mask the sensitive data is important.
With respect to URL representation, follow any rule, be it hashed ID with lookup or actual entity IDs but make sure the logic is consistent across the codebase or at least use-case basis so that it's easy to maintain. And, One of answers mentioned about SEO and UX, probably true in-case of client web URLs but I'm not sure if the same is applicable for backend URLs