FAPI part 2 7.1 currently says:
Note that `request_uri` can be either URL or URN. If it is a URL, it shall be based on a cryptographic random value so that it is difficult to predict for an attacker.
This would seem to imply that if a URN is used it is okay for the URN to be predictable.
I am not 100% certain that is the case (perhaps an attacker could cause a DoS by attempting to use other people's URNs, as the URNs are meant to be one-time use? Though this probably requires at least a partial compromise of the client credentials too).