The HASH_SALT does look a bit concerning, have to look into this.
The APP_KEY is now generated on first startup and thus unique to your installation. If you want to recreate it, you have to run
php artisan db:seed --class ActivityTypesTableSeeder --forcefrom within a terminal into the app (You can get this through the Cloudron dashbaord) However I don't think this is required, given that it is unique to your instance already.
https://github.com/monicahq/monica/issues/381 is the security concern.
Using the ID can allow people to get a very good sense of how many users are on the system and the amount of contacts. It also is information leakage because I know all the URLs for every contact. I think using a hashid based on the contact id, the user creating it and maybe another factor would work great.