Can you decrypt external URL parameters with Salesforce Marketing Cloud?

A few months ago, I was asked to integrate a Salesforce Marketing Cloud (SFMC) customer preference centre with Commerce Cloud (CC). There was no connector in place between SFMC and CC, however, both systems were integrated with Sales Cloud.

The preference page was built using Ampscript to update Sales Cloud directly, in order to update the record in Sales Cloud I needed to have the record unique ID, the Person Contact ID.
This is straightforward when the landing page is accessible from an email sent via SFMC, the email links are automatically encrypted and there is no risk to expose the customer information.

Things become complicated when you are accessing the link from a source that does not offer encryption out of the box.
In our case, when customers are logged in, commerce cloud is able to identify the individual using the customer unique ID from Sales Cloud and if a customer decides to update their consent, can access the SFMC preference center page and be identified with the same ID.

This is possible by passing the customer unique ID as a parameter in the URL and then use Ampscript to retrieve the value.
However, this solution exposes the unique ID that could potentially be used to access customer PII. It was a…