When using the token setting to always store a payment method reference, which only makes sense in combination with custom code that then does something with that (setting up subscriptions in our case), then the ID for anonymous users is not handled correctly, which results in anonymous users being able to reuse stored credit cards.
Reporting this in public because this module is not stable and it's unlikely someone but us used this setting.
Fixed
2.0
Code