While this does protect the internals, it fails to protect the abstract value of one client from another client. Guessable tokens suffice to access an abstract value. Garbage collection also fails to discover when no one can legitimately access an abstract value.
One might propose adding logic to the server to distinguish among clients, but then we pay a processing cost and loose the ability for one client to pass authority for an abstract value to another client. One might propose encrypted integers but then we suffer some trade-off between encryption cost and security.