What about using the hash part of the URL (#) instead of the query part (?)? That doesn't get sent to the server. Although you still have to trust that a script on the page isn't reading that information and shuttling it off somewhere else--but then, you're already trusting Facebook code anyway.
