I recently had to explain to a tech lead that you can "never trust the client," because any dedicated party can just curl around your UI and send whatever HTTP request they want.
I remember when this first occurred to me from me deciding that I didn't want to click download a series of things on some website where this was the intended use. I wrote a small shell script to curl it for me, and somewhere during the process of writing the script, I realized the true "power" of this. Ever since then, GET with search queries were protected against in everything I wrote from that point forward. Luckily, that was in the late 90s, so it's been a minute.
Amazingly incompetent.