We have noticed that URL hacking is possible on our form pages. We still use the legacy form variant on the corresponding pages.
If you have a "Display Only" item or an item with a read-only condition, which is given a database column as source, you can write a value into the field via the URL and then successfully save it.
We are pretty sure that APEX has validated that these items must not be changed or that the value - since the setting "Always, replacing any existing value in session state" was selected - is simply overwritten.
This error does not occur with the new form variant of APEX 19.
Maybe this information helps somebody or even somebody has a simple quick solution for it.
Currently, we do not see any alternative than either activating the URL checksum in each application or switching to the new form region. Given the size of our applications, however, both solutions are very time-consuming.