let me say you Develop a Report which has a parameter as User!userID.Value (Named as EmployeeID in Reports) to Filter your Data in the Reports and this is captured when user logs into Report Manager.
If you have this EmployeeID as Internal you cant change this Value by passing this Value in URL.
If you have this EmployeeID as Hidden and Deployed it..you can OverRide User!userID.Value by passing this Value in URL Like this ..
http://server/reportserver?/Sales/Northwest/Employee Sales Report&rs:Command=Render&EmployeeID=1234
Employee 1234 can pass 1235 and see his Data which will be security threat.
Hope this Clarifies your Doubt.