Unfortuantely, security from our side is always a concern.
In terms of complexity the attachments code is already (as Spuds said) quite a bunch of spaghetti rolled up randomly. If we add also some kind of "custom naming" on top of it, depending on security concerns of the owner of the forum... well, I already regret giving 3 options to organize folders.
So we have to account for people that keep their attachments and caches open to the public.
That said, a base_convert doesn't really add anything to the address space unless I'm misunderstanding: if $file_id in your example if the attach_id of the database, then either it be the number from the db or the version in base 36, the potential for conflicts remain the same (that is... almost 0, because attach_id is an autoincrement, so I would not expect to have the same number returned twice... at least in mysql, in postgre since we use a function I would expect in some remote edge cases it may actually happen, but who knows, I'm not particularly knowledgeable of databases).
In terms of "debugging" it boils down to what and how you are debugging, if it's just to know if an attachment is created, you can check if a file with a certain attach_id is present. If it is it has to match the one in the database (where, incidentally, the hash is stored (file_hash), so if you need it it's just another round up of fetching the info from the attachments table).
Just challenging, of course.