Comment by shermantanktop

User identity must be derived from security context, typically at the edge of the system.

But it’s so much easier for developers to think of userid as just another parameter, and they forget, and oops now they trust a random user-supplied parameter.