"Zoombombing" is a thing because the ID space is ridiculously small. It's 8 digits! Just pump it up to UUID size and encode it as Crockford Base32 + checksum. Then you don't need a password because the ID space is too big to guess. We all learned this back in the days of link shortners, but Zoom somehow didn't?
The ID number can also be used by attendees calling in via phone, so it has to be short and numeric (back to the UX vs. security tension).
Another issue was that until recently the ID number was prominently displayed in the application window. Many people (including Boris Johnson) shared screenshots on social media with the ID included.
