We had in incident occur, where somebody did a backup and restore, and files were included in their destination course that were not in their original source, and were not their files at all.
We tracked it down, and they came from another course which created a backup at the same time on the system. Doing some research, I can only find that backup_unique_code is set based on time(), and never appears to be validated as unique. Relying on the probability of two backups not happening at the same time seems to be very risky, especially on large/busy Moodle installs.
If they conflict occurs, it would seem to mean unpredictable backups, and the possibility of file leakage from one party to the other. While very hard to actively exploit, the risk of data leakage seems moderate to high.