Ok, I see what you are getting at, maybe I did not cover it well enough in the video. The check for UserCanEditModule is just one preliminary step for securing a custom feature, it is not a complete security solution. Additional steps to secure a feature can very depending on the feature.
In the case of the GuestBook example, before editing or deleting a guestbook item, one needs to check that the item has the same moduleid that is passed in. For creating a new item one can check that the module has the correct feature guid to make sure it represents a GuestBook instance.