That's true for any content or request coming from the user. If it's not signed by a trusted party, you should not trust it and instead validate whatever you receive. It doesn't matter whether a client side database, a cookie, a file, or indeed the url was used.

Urls are kind of convenient for a lot of things like form parameters, #link into an app or page, etc. That's state. Adding a bit more state via json in a parameter or whatever is about as old as the web is. Mostly, url length restrictions are still a bit of a problem but you need really long urls these days to hit those with most browsers. But aside from that, it's just another way to store stuff between requests.