On the one hand, the vanity URL people will want is probably often the same as their username, and usernames are unique.
On the other, a profile URL that gives away a username could I suppose give attackers a helping hand.
In the case of sites that use email addresses to log in (in my opinion this should be default for a number of reasons, but its not my call, plus its not the way Joomla works out of the box), this is not a problem, though on my site I would need to prevent username login (currently you can use either), but this would not be difficult.
Currently, I display the username field at signup, but tell the user it is a vanity URL field. Vanity URLs are not yet implemented though - I was planning on using Nginx's ability to to route a URL based on an SQL lookup (e.g. select $userid where username = $username, map site.com/vanityurl -> site.com/people/profiles/$userid). I'm assuming this rewriting would be cachable of course.
Given the above, what are your thoughts? Do you plan to create a new field for the vanity URL, or re-use the username?
If the latter, great, if the the former, I guess I will probably need to ensure:
1. The username field is removed/hidden at signup and the email address is used to populate it.
2. The new vanity URL field replaces the username field (no change to user experience - text and form looks the same, just a different form field with the same description).
I'm not sure whether you have got that far yet (and I'm not bothered either way really), but if you have I can plan those changes my end...