I submitted this error to both citizens2 and worldguard. Worldguard said the latest update just hides the issue, but the root cause has to do with citizen2 and luckperms.

Citizens2 told me it was a worldguard issue, but also a luckperms issue. Probably worth a look at.

https://hastebin.com/dojavitiko.sql

Latest Paper 1.13.2
Latest Luckperms 4.3.109
Latest Citizens2 Citizens-2.0.24-b1625
Latest Worldguard 7 Beta 3

Essentially, this LuckPerms warning stacktrace shows:

com.google.common.util.concurrent.UncheckedExecutionException:
java.lang.RuntimeException:
The operation to load user data for 'cfa4fcb1-a786-23fc-b956-33914c7bb373' was cancelled by LuckPerms. This is NOT a bug.
The lookup request was made on the main server thread. It is not safe to execute a request to
load data for offline players from the database in this context.
If you are a plugin author, please consider making your request asynchronously.
Alternatively, server admins can disable this catch by setting 'vault-unsafe-lookups' to true
in the LP config, but should consider the consequences (lag) before doing so.

When plugins make permissions requests regarding NPCs - ideally LuckPerms would not throw this and return default values for a permission node when an NPC is given.
This can be done by checking the UUID for v2 instead of v4 (NPCs have UUID v2, whereas real players have v4 for online mode, v3 for offline mode), OR use entity.hasMetadata("NPC").

Another possible solution (which would enable proper permission checks for NPCs) could be to get LuckPerms to load the data too when an NPC is spawned/added. Not sure which events LP is listening on exactly but I would imagine it just uses one of the join/login events, could NPCs call these when the "join" (spawn)? (Although I would imagine that this would cause issues on server start as every NPC would then join at once 🤔)

But at the same time it could enable plugins that listen on these events to load and cache data (like LP) to properly work with it.

I don't think LuckPerms should be coding special cases to handle Citizens NPCs. I also agree it is not WorldGuard's fault.

I personally think the most sensible solution is for Citizens to provide its own Vault implementation which handles lookups for NPC UUIDs, and delegates all other calls to the existing provider.

I'm open to any other suggestions, but I think a special case in the LP handler is a step in the wrong direction.

It wouldn't necessarily be special cases for Citizens NPCs, rather special cases for anything that isn't an actual player, which theory any number of plugins might use - Citizens just being the big noteworthy case.
As a relevant note, the v2 UUID for NPCs is mentioned on the protocol wiki: https://wiki.vg/Protocol#Spawn_Player

A Vault permissions provider like that could make sense as well, though...