Remember the dude whose garage port opened and closed seemingly at random because his /toggle endpoint ended up in his browser's "most visited" list: https://news.ycombinator.com/item?id=16964907 ?
I have a feeling the same thing could happen here.
That's why you have to use a POST request. GET should be read-only and a browser will not re-issue a POST for things like most-visited, tab restore, pre-fetch, etc.
Yeah, that's what the guy in the linked post is talking about. Various services (Skype/Teams, Slack, Twitter, etc.) will also send a GET if the URL is shared there. I once saw an accidental hotel booking triggered by Skype because the booking was performed through a GET request with a brazillion parameters.
I have a feeling the same thing could happen here.