There is big issues in such type of form:
Suppose I created one form and given that so many fields in that fields there is one field name receipt_no given in the top of the form. This field name = receipt_no is read only and receipt_no is generated automatically by the developer team by using java etc.
So, when applicant open that form and Right click and open in new tab. Form is opening by sending receipt_no IN URL.
So due to this Applicant can change EDIT/UPDATE this receipt_no manually whatever he/she want to give receipt_no.
After changing/Updating the receipt number in URL by manually it is able to change/Update the receipt number this issue caused from 'AUDIT TEAM "as "PARAMETER TEMPERING".
I don't think this behavior you are showing of passing the parameter in the URL is done by Orbeon Forms proper. It is probably some logic that whomever built this form put in.
And yes, you are correct that if the receipt number can be passed to the form and is just trusted, it's quite unsafe. But again I think this logic must be something implemented by the author of that particular form.