A guid has about 340,280,000,000,000,000,000,000,000,000,000,000,000 possible combinations so if a couple of dozens are stored in a database to indicate the permanently banned members there would still be enough combinations left. Then again, any GUID would be valid as long as it's not in the database.

The cookie would still identify a banned person after they've logged out of AO. If they then log in with a different account without clearing or modifying their cookie then you just provide them an error page, making it appear as if something went wrong. But in the meantime, this new or second account would be marked to be blocked too. And the third, fourth or even more, if the banned person forgets to clear his cookie. (Just don't clear cookies when a person logs out.)

It's not a perfect protection but it's an additional layer that they will have to discover to bypass it.