The best practices page mentions the below:
Consider an explicit UID/GID
Users and groups in an image are assigned a non-deterministic UID/GID in that the “next” UID/GID is assigned regardless of image rebuilds. So, if it’s critical, you should assign an explicit UID/GID."
What is the significance of explicitly specifying the UID/GID?
Under what scenario allowing the system to assign the UID/GID does not provide sufficient security?
Explicitly specifying these values seem to have the downside of a leading to a situation in which the explicitly specified value (UID/GID) is already in use.