I've read a lot of threads and posts, but it's not clear enough whether the credential ID is save to use as an identifier that can be listed without user consent (certutil, etc), and retrieved only if the user approved that attempt.
I have read the spec, https://www.w3.org/TR/webauthn/#credential-id and it's not clear for me.
I would appreciate any input regarding this.
It somewhat depends on the context.
There is guidance on releasing credential IDs without knowledge of the user by a relying party, e.g. using an account identifier and WebAuthn as a first factor. Basically, this can release information on whether an account exists, what sort of authenticators are registered with it and other information that may lead to correlation. Depending on your application, this could be a security concern (e.g. social engineering), or a privacy concern.
In terms of visibility to a client platform, the CTAP specification defines credProtect to limit visibility of credentials for discovery until the user has performed verification. This limits the ability for credentials to be enumerated in cases where a party has temporary physical access.