It highly depends on what the purpose of the string is: if it can be clearly seen by the user, has to be read, or worse typed, then it's not just a random string in a database.

If the string is a url, imagine sending https://somesite/wanker to your client, when it actually could also be https://somesite/ay3ugd