The backend must always validate and it's this validation that matters for any sort of 'security' or data integrity issue.