There are reasons we couldn't use a POST.
So, the original requirement to be able to have all the features was a directive from above without much context to our other initiatives, and we were told 'make it so'. We highlighted the issues, but due to timelines using a GET with the values was the only option that would make the timelines (that were aligned with other projects outside our teams).
However, as soon as the initial deployment was completed, work started to address this issue (not just the exposing of the details). However, that change hasn't made it through QA yet (due to other projects and bug-fixes).
Of course, the actual long-term solution has been delayed (as we highlighted to management when they came with this 'quick-fix') because the quick-fix wasn't quick and has resulted in a lot more work than they thought should be required.