There's nothing blocking me from entering whatever integers in the URL for something like https://musicbrainz.org/account/applications/revoke-access/19043349434/32343 - including ending up on someone else's application (edit: actually, the IDs here are just application and scope so there's nothing personalized about them). This will fail when I actually try to submit it, but it should probably just give me a 404 instead.