If you have luckperms install on a bedrock server and a java server and link them together, someone can make a free xbox account with your java name but different case and login to the server and it will give them your permissions because it does the lookup via name.

How to reproduce
Use https://github.com/yesdog/Waterdog as bungeecord, lets say your mojang name is lUckbob you can join with an xbox account luckbOb

I think having an option to automatically “correct” the UUID based on the username would be nice. I mean it’s happening at the moment. And having it on by default certainly is a good idea. But being able to turn it off, would be even better.

Also having an option to make LP work case sensitive with player names could be a solution.

A solution for this is a must, We pretty much cannot do anything about it until the author fixes it.

Not really. The issue can't happen unless you merge two systems together that were never meant to be merged. So issues are to be expected.
And don't get me wrong. I understand that this is an infuriating issue for you, as it's nobody's direct fault (Waterdog just merges two platform in a sane way, LP relied on the fact that all usernames are unique, even if lowercased on all MC platforms) and you can't do anything about it.

What I would suggest you is to reach out to yesdog and ask him if he can make sure names can't be duplicated (even with lowercase spelling), as that will be faster to implement.

I absolutely do agree that this also needs a fix (or at least an option (or two) that can fix it) on LP too. But Luck is very busy with real life, so don't expect anything too soon.

I am of the opinion that a fix for this is out of scope for a plugin like LuckPerms.

The problem is better solved by the software you're using to merge the two platforms together.