tl;dr: a non-profit got fined 75K€ because their website leaked 42,562 private documents from their users. Anyone could modify numbers in the URL and read other users' documents. The documents included passports, tax information, identity documents, and more.
Oof, I can see why then. On the other hand, if you're not storing people's passports... is this really something you should be worried about? And shouldn't somebody who's intentionally storing thousands of passports be required to implement basic security practices?
It was a 2017 case, but I guess it will reflect what can happen ?