The answer is that it depends. As a general rule, we recommend keeping the device IDs private, just to be safe. But it’s not really a secret.
Having the Device ID by itself doesn’t grant you access to anything. However, because the device ID space is large (a 96-bit number), it’s not typically enumerable. You can’t just try every Device ID because there are too many of them. This makes any attack more difficult, because the more things you have to guess, the harder it is to guess.
But since all of the APIs are protected by an authorization token, not by the obscurity of the Device ID, there isn’t really anything that’s actually unsafe if Device IDs are not kept secret.