-
In reality, relying on the username is not a good way to design, precisely because it can be changed. The ID is the only data you should rely on when writing a plugin.
-
The fact that the username is not “sensitive” data for security purposes may be true up to a certain point. Not everyone adopts the 2FA approach, and brute force attacks on sites without adequate protection (absence of a limit on incorrect logins, xmlrpc active) and with part of the login known, can easily overcome the bland defense of a password.
My philosophical approach is that CP should do everything to protect the user’s account, eliminating any even minimal and remote security problems.
Then, of course, if one intends to create an impassable wall, he equips himself with a robust plugin that does that protection job.