Can users cURL their own data to the User Management API?

Can users PATCH/POST data they specify themselves to the /user endpoint sitting in my express app, specifying their own user ID and therefor trigger data they entered to be sent to their user profile’s app_data?

What do I need to validate?
Does Auth0 already validate incoming data?

Thanks in advance for the responses.