So do they [at Microsoft] name registry keys with those text versions of user token SIDs?
Logged in user SID, not 'user token SID' whatever it is. And regarding 'do they?', I believe the answer is quite apparent. Yes, they do. Do load user's hive under textual SID name. I'm not sure what do you mean by 'security breach', but the key access is granted for SYSTEM, Administrators and user himself. Nobody else. Do you see any problem with security here?