Security of PHP’s str_shuffle()


I’m doing some research on PHP’s str_shuffle function, I already asked this question multiply times on StackOverflow but got no answer https://stackoverflow.com/questions/61968859/is-it-possible-to-predict-the-next-output-for-the-str-shuffle-function-in-php.

I’m interested in how would you break str_shuffle, since PHP’s docs states "It does not generate cryptographically secure random values", hence I’m guessing it can be compromised. But how? What I’ve tried so far is a bruteforce attack wrote about it here: https://stackoverflow.com/questions/62106860/bruteforcing-a-32-bit-seed-in-php

Why is str_shuffle() used so frequently for generating random tokens? I see alot of this kind of code:

function generate($  letters, $  length = 8) // $  letters is a pool of characters and numbers { return substr(str_shuffle($  letters), 0, $  length); } 

Is this enough for security or not?